All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
@ 2016-09-21 13:45 P J P
  2016-09-21 16:46 ` Paolo Bonzini
  0 siblings, 1 reply; 5+ messages in thread
From: P J P @ 2016-09-21 13:45 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Jason Wang, Li Qiang, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/mcf_fec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 7c0398e..f193e15 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -161,7 +161,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
         mcf_fec_read_bd(&bd, addr);
         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
                 addr, bd.flags, bd.length, bd.data);
-        if ((bd.flags & FEC_BD_R) == 0) {
+        if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
             /* Run out of descriptors to transmit.  */
             break;
         }
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
  2016-09-21 13:45 [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length P J P
@ 2016-09-21 16:46 ` Paolo Bonzini
  2016-09-21 17:50   ` P J P
  0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2016-09-21 16:46 UTC (permalink / raw)
  To: P J P, Qemu Developers; +Cc: Jason Wang, Li Qiang, Prasad J Pandit



On 21/09/2016 15:45, P J P wrote:
>          DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
>                  addr, bd.flags, bd.length, bd.data);
> -        if ((bd.flags & FEC_BD_R) == 0) {
> +        if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
>              /* Run out of descriptors to transmit.  */
>              break;
>          }

Is this a bug?

I don't see anything problematic if len == 0 in the remainder of the code,
though I see a bug:

diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..5a5fc69 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -176,7 +176,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
         if (bd.flags & FEC_BD_L) {
             /* Last buffer in frame.  */
             DPRINTF("Sending packet\n");
-            qemu_send_packet(qemu_get_queue(s->nic), frame, len);
+            qemu_send_packet(qemu_get_queue(s->nic), frame, frame_size);
             ptr = frame;
             frame_size = 0;
             s->eir |= FEC_INT_TXF;

Paolo

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
  2016-09-21 16:46 ` Paolo Bonzini
@ 2016-09-21 17:50   ` P J P
  2016-09-21 19:33     ` Paolo Bonzini
  0 siblings, 1 reply; 5+ messages in thread
From: P J P @ 2016-09-21 17:50 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: Qemu Developers, Jason Wang, Li Qiang

+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| On 21/09/2016 15:45, P J P wrote:
| >          DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
| >                  addr, bd.flags, bd.length, bd.data);
| > -        if ((bd.flags & FEC_BD_R) == 0) {
| > +        if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
| >              /* Run out of descriptors to transmit.  */
| >              break;
| >          }
| 
| Is this a bug?

  Yes, a guest user can control the contents of buffer descriptor 'bd' and 
could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop 
run infinite iterations.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
  2016-09-21 17:50   ` P J P
@ 2016-09-21 19:33     ` Paolo Bonzini
  2016-09-22  6:36       ` P J P
  0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2016-09-21 19:33 UTC (permalink / raw)
  To: P J P; +Cc: Qemu Developers, Jason Wang, Li Qiang



On 21/09/2016 19:50, P J P wrote:
> +-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
> | On 21/09/2016 15:45, P J P wrote:
> | >          DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
> | >                  addr, bd.flags, bd.length, bd.data);
> | > -        if ((bd.flags & FEC_BD_R) == 0) {
> | > +        if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
> | >              /* Run out of descriptors to transmit.  */
> | >              break;
> | >          }
> | 
> | Is this a bug?
> 
>   Yes, a guest user can control the contents of buffer descriptor 'bd' and 
> could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop 
> run infinite iterations.

Not exactly, because addr changes on every call to mcf_fec_read_bd.

You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are
incorrect.

Paolo

> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
  2016-09-21 19:33     ` Paolo Bonzini
@ 2016-09-22  6:36       ` P J P
  0 siblings, 0 replies; 5+ messages in thread
From: P J P @ 2016-09-22  6:36 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: Qemu Developers, Jason Wang, Li Qiang

  Hello Paolo,

+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| Not exactly, because addr changes on every call to mcf_fec_read_bd.

  True, but the initial address 's->tx_descriptor' and 's->etdsr' could be set 
by user in imx_fec_write(). If bd.flags is set to FEC_BD_W, addr is reset to 
initial s->tx_descriptor value of s->etdsr.

        if ((bd.flags & FEC_BD_W) != 0) {                                       
            addr = s->etdsr;                                                    
        }

| You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are
| incorrect.

  Okay, I'll send a revised patch.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-22  6:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-21 13:45 [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length P J P
2016-09-21 16:46 ` Paolo Bonzini
2016-09-21 17:50   ` P J P
2016-09-21 19:33     ` Paolo Bonzini
2016-09-22  6:36       ` P J P

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.