* [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
@ 2016-09-21 13:45 P J P
2016-09-21 16:46 ` Paolo Bonzini
0 siblings, 1 reply; 5+ messages in thread
From: P J P @ 2016-09-21 13:45 UTC (permalink / raw)
To: Qemu Developers; +Cc: Jason Wang, Li Qiang, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/net/mcf_fec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 7c0398e..f193e15 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -161,7 +161,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);
- if ((bd.flags & FEC_BD_R) == 0) {
+ if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
/* Run out of descriptors to transmit. */
break;
}
--
2.5.5
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
2016-09-21 13:45 [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length P J P
@ 2016-09-21 16:46 ` Paolo Bonzini
2016-09-21 17:50 ` P J P
0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2016-09-21 16:46 UTC (permalink / raw)
To: P J P, Qemu Developers; +Cc: Jason Wang, Li Qiang, Prasad J Pandit
On 21/09/2016 15:45, P J P wrote:
> DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
> addr, bd.flags, bd.length, bd.data);
> - if ((bd.flags & FEC_BD_R) == 0) {
> + if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
> /* Run out of descriptors to transmit. */
> break;
> }
Is this a bug?
I don't see anything problematic if len == 0 in the remainder of the code,
though I see a bug:
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..5a5fc69 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -176,7 +176,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
if (bd.flags & FEC_BD_L) {
/* Last buffer in frame. */
DPRINTF("Sending packet\n");
- qemu_send_packet(qemu_get_queue(s->nic), frame, len);
+ qemu_send_packet(qemu_get_queue(s->nic), frame, frame_size);
ptr = frame;
frame_size = 0;
s->eir |= FEC_INT_TXF;
Paolo
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
2016-09-21 16:46 ` Paolo Bonzini
@ 2016-09-21 17:50 ` P J P
2016-09-21 19:33 ` Paolo Bonzini
0 siblings, 1 reply; 5+ messages in thread
From: P J P @ 2016-09-21 17:50 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Qemu Developers, Jason Wang, Li Qiang
+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| On 21/09/2016 15:45, P J P wrote:
| > DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
| > addr, bd.flags, bd.length, bd.data);
| > - if ((bd.flags & FEC_BD_R) == 0) {
| > + if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
| > /* Run out of descriptors to transmit. */
| > break;
| > }
|
| Is this a bug?
Yes, a guest user can control the contents of buffer descriptor 'bd' and
could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop
run infinite iterations.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
2016-09-21 17:50 ` P J P
@ 2016-09-21 19:33 ` Paolo Bonzini
2016-09-22 6:36 ` P J P
0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2016-09-21 19:33 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Jason Wang, Li Qiang
On 21/09/2016 19:50, P J P wrote:
> +-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
> | On 21/09/2016 15:45, P J P wrote:
> | > DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
> | > addr, bd.flags, bd.length, bd.data);
> | > - if ((bd.flags & FEC_BD_R) == 0) {
> | > + if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
> | > /* Run out of descriptors to transmit. */
> | > break;
> | > }
> |
> | Is this a bug?
>
> Yes, a guest user can control the contents of buffer descriptor 'bd' and
> could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop
> run infinite iterations.
Not exactly, because addr changes on every call to mcf_fec_read_bd.
You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are
incorrect.
Paolo
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
2016-09-21 19:33 ` Paolo Bonzini
@ 2016-09-22 6:36 ` P J P
0 siblings, 0 replies; 5+ messages in thread
From: P J P @ 2016-09-22 6:36 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Qemu Developers, Jason Wang, Li Qiang
Hello Paolo,
+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| Not exactly, because addr changes on every call to mcf_fec_read_bd.
True, but the initial address 's->tx_descriptor' and 's->etdsr' could be set
by user in imx_fec_write(). If bd.flags is set to FEC_BD_W, addr is reset to
initial s->tx_descriptor value of s->etdsr.
if ((bd.flags & FEC_BD_W) != 0) {
addr = s->etdsr;
}
| You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are
| incorrect.
Okay, I'll send a revised patch.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-22 6:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-21 13:45 [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length P J P
2016-09-21 16:46 ` Paolo Bonzini
2016-09-21 17:50 ` P J P
2016-09-21 19:33 ` Paolo Bonzini
2016-09-22 6:36 ` P J P
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.