diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2016-01-14 11:43:30 +0200 |
|---|---|---|
| committer | Timothy Pearson <tpearson@raptorengineering.com> | 2019-11-29 19:31:26 -0600 |
| commit | 31f7791a59dfe5ff44c61c3d38e9bd5b8dd26d81 (patch) | |
| tree | 0151e2b4bca5cb9686d087601f2742c688e514e4 /hw/net | |
| parent | dce4414695d23709fb57c513de4ee05c17983e91 (diff) | |
| download | hqemu-31f7791a59dfe5ff44c61c3d38e9bd5b8dd26d81.zip hqemu-31f7791a59dfe5ff44c61c3d38e9bd5b8dd26d81.tar.gz | |
cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'hw/net')
| -rw-r--r-- | hw/net/cadence_gem.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c index e513d9d..0346f3e 100644 --- a/hw/net/cadence_gem.c +++ b/hw/net/cadence_gem.c @@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s) break; } + if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) { + DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n", + (unsigned)packet_desc_addr, + (unsigned)tx_desc_get_length(desc), + sizeof(tx_packet) - (p - tx_packet)); + break; + } + /* Gather this fragment of the packet from "dma memory" to our contig. * buffer. */ |
