On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang <jasow...@redhat.com> wrote:
>
>
> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
>> gem_receive copies a packet received from network into an rxbuf[2048]
>> array on stack, with size limited by descriptor length set by guest. If
>> guest is malicious and specifies a descriptor length that is too large,
>> and should packet size exceed array size, this results in a buffer
>> overflow.
>>
>> Reported-by: 刘令 <liuling...@360.cn>
>> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
>> ---
>> hw/net/cadence_gem.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>
> Apply to my -net with tweak on commit log (changing receive to transmit
> as noticed).
>
As this is actually an unimplemented feature you should change the
message to a LOG_UNIMP rather than a debug printf.
Regards,
Peter
> Thanks
>
>>
>> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
>> index 3639fc1..15a0786 100644
>> --- a/hw/net/cadence_gem.c
>> +++ b/hw/net/cadence_gem.c
>> @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
>> break;
>> }
>>
>> + if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet))
>> {
>> + DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space
>> 0x%x\n",
>> + (unsigned)packet_desc_addr,
>> + (unsigned)tx_desc_get_length(desc),
>> + sizeof(tx_packet) - (p - tx_packet));
>> + break;
>> + }
>> +
>> /* Gather this fragment of the packet from "dma memory" to our
>> contig.
>> * buffer.
>> */
>
