Re: [Qemu-devel] [PATCH] net: fix insecure temporary file creation in SLiRP

-P J P http://feedmug.com

Re: [Qemu-devel] [PATCH] net: fix insecure temporary file creation in SLiRP

review), yours doesn't. Suggest you guys figure out together which solution you want. Thank you so much for the review. IMO using separate smb_dir[] is prudent than s-smb_dir. Preferably with strncpy() replaced by pstrcpy(): Yes. Thank you. --- Regards -P J P http://feedmug.com

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

, I'll update the patch. @max, @Qinghao: did you have chance to test the current patch? (just checking) Thank you. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

+-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+ | > +if (s->tx.link == s->cu_offset) | > +break; | | Please update the patch to conform to QEMU's coding standards; braces | are required even around single-statement blocks. Done. Please see an updated patch below. ===

Re: [Qemu-devel] [PATCH] Limit memory r/w length to buffer size

+-- On Tue, 13 Oct 2015, Markus Armbruster wrote --+ | How is this related to Kevin's | [PATCH] gdbstub: Fix buffer overflows in gdb_handle_packet() | Message-Id: <1444721930-5121-1-git-send-email-kw...@redhat.com> ? Oh, didn't know there was already a patch. Yes it fixes the same issues; Also

Re: [Qemu-devel] [PATCH] gdbstub: Fix buffer overflows in gdb_handle_packet()

+-- On Tue, 13 Oct 2015, Kevin Wolf wrote --+ | diff --git a/gdbstub.c b/gdbstub.c | index d2c95b5..9c29aa0 100644 | --- a/gdbstub.c | +++ b/gdbstub.c | @@ -956,6 +956,13 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf) | if (*p == ',') | p++; |

Re: [Qemu-devel] [PATCH] gdbstub: Fix buffer overflows in gdb_handle_packet()

digits. | The requested length is in bytes of binary data, so the length of the | actually transferred data on the wire is indeed double that length. I see, got it. Thank you. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello, An infinite loop issue in hw/net/eepro100.c emulator was reported by Mr Qinghao Tang(CC'd here). Below is a proposed fix patch and details about the issue. === From f06497dfefabbdd6f966a5d6c177d85cd0e5ecd8 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

nt command block, otherwise loop continues to read the next command block(CB) in the list. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Qemu-devel] [PATCH] Limit memory r/w length to buffer size

Hello, An OOB r/w access issue was reported by Mr Gerben Lubbe(CC'd here). The GDB(1) stub protocol supports commands 'm/M' to read & write 'len' bytes from/to the stub memory area. In that, the 'len' parameter value supplied by the host gdb(1) is not validated against the local buffer

Re: [Qemu-devel] [PATCH] Limit memory r/w length to buffer size

Hello, +-- On Tue, 13 Oct 2015, P J P wrote --+ | Below is a proposed patch to fix this issue. | | === | > From 88edb457a66f8ff96209a1603914171eade0658b Mon Sep 17 00:00:00 2001 | From: Prasad J Pandit <p...@fedoraproject.org> | Date: Mon, 12 Oct 2015 22:56:41 +0530 | Subject: Limit m

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Jason, +-- On Fri, 4 Dec 2015, Jason Wang wrote --+ | Better with "git send-email". Okay. | What if guest deactivate the device before re-activate the device? |Looks like it could be done through methods: | |1) VMXNET3_CMD_QUIESCE_DEV IIUC, it is used to pause the device when the

[Qemu-devel] [PATCH] ui: vnc: avoid floating point exception

Hello Gerd, A floating point exception issue in the VNC server PNG compression support was reported by Mr Lian Yihan, CC'd here. Given below is a proposed (tested)patch to fix this issue. === From 1ca4818333d39fed6567e316e37f6a6516f59c69 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Dmitry, +-- On Thu, 3 Dec 2015, Dmitry Fleytman wrote --+ | The patch is good. | Jason, would you apply is from attachment or should it be resent by "git send-email”? | | Acked-by: Dmitry Fleytman > Thank you. (/me makes a note to learn

Re: [Qemu-devel] [PATCH] ui: vnc: avoid floating point exception

Hello Peter, +-- On Thu, 3 Dec 2015, Peter Maydell wrote --+ | The patch doesn't apply to master. Can you produce a version | that does, please? Please see this new one, hope it works. === >From d4661b8d99f8c8439167d85165439c619553b933 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Jason, Dmitry, +-- On Tue, 8 Dec 2015, P J P wrote --+ | |1) VMXNET3_CMD_QUIESCE_DEV | | IIUC, it is used to pause the device when the receiver end is unable to | keee-up with the incoming flow. After a brief period, the operation could be | resumed again. | | |2) VMXNET3_REG_DSAL

[Qemu-devel] net: vmxnet3: memory leakage issue

Hello Dmitry, all A memory leakage issue was reported by Mr Qinghao Tang, CC'd here. In that, the Qemu VMXNET3 paravirtual device emulator does not check if the device is already active, before activating it. This leads to host memory leakage via calls to vmxnet_tx_pkt_init(), which calls

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Jason, +-- On Fri, 11 Dec 2015, Jason Wang wrote --+ | I think it's possible for attacker. Better wait for Dmitry's answer for | this. Okay. | > +/* Verify if device is active */ | > +if (s->device_active) { | > +VMW_CFPRN("Vmxnet3 device is active"); | > +

Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop

Hello Gerd, +-- On Mon, 14 Dec 2015, Gerd Hoffmann wrote --+ | Can you test the attached patch please? In case it doesn't fix the bug: Yes, it did fix the infinite loop issue. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Dmitry, Jason +-- On Sun, 13 Dec 2015, Dmitry Fleytman wrote --+ | According to Linux driver code VMXNET3_CMD_QUIESCE_DEV does not flip | paused/active states. It always disables device, see vmxnet3_resume() for | |

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Jason, +-- On Tue, 15 Dec 2015, Jason Wang wrote --+ | Patch looks good to me. Queued for 2.6 first. | | If you want to make this for 2.5, you may probably want to send a formal | patch with my "Reviewed-by: " to Peter directly consider we are near to | release. And use "For 2.5" as a

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Dmitry, +-- On Mon, 14 Dec 2015, Dmitry Fleytman wrote --+ | The patch looks basically good. | The only issue I can think of is that now vmxnet_tx_pkt_uninit and | vmxnet_rx_pkt_uninit may be called a few times in a row. For example guest | may quiesce device and then shutdown. In this

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

Hello Miao, +-- On Tue, 15 Dec 2015, Miao Yan wrote --+ | So far as I know, vmxnet3 doesn't have a flow control spec. Same is true for | e1000 emulation layer in esxi, writing to flow control register bits is | ignored. Maybe there are some buffering or throttling layer in-between that | do

Re: [Qemu-devel] net: vmxnet3: memory leakage issue

+-- On Tue, 15 Dec 2015, Dmitry Fleytman wrote --+ | Hello Prasad, | | Looks good. | Reviewed-by: Dmitry Fleytman Great! Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Qemu-devel] [PATCH For 2.5] net: vmxnet3: avoid memory leakage in activate_device

Hello Peter, Patch below is reviewed and queued currently for 2.6. Could you please include it in 2.5? -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02352.html === From 1a18f291a5d22c0dfa680cf82ada2e021e19bf97 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit

Re: [Qemu-devel] [PATCH For 2.5] net: vmxnet3: avoid memory leakage in activate_device

+-- On Tue, 15 Dec 2015, Peter Maydell wrote --+ | > -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02352.html | | No, sorry. It is too late by a long way. It can be cc'd to | qemu-stable and go into 2.5.1. I see, okay. I'll send it there. Thank you. -- Prasad J Pandit / Red Hat

[Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

Hello, An OOB write issue was reported by Mr Ling Liu, CC'd here. It occurs while processing the 'sendkey' command, if the command argument was longer than the 'keyname_buf[16]' buffer. === From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit

[Qemu-devel] [PATCH] i386: avoid null pointer dereference

Hello, A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null as it is not called from cpu_exec loop, which results in the said issue. Below is a proposed

[Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop

Hello Gerd, An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB EHCI emulator. In that, a malicious isochronous transfer descriptor(iTD) list could unfold an infinite loop in the 'ehci_advance_state' routine, by always setting 'again = 0 or 1'. Please see below a

Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop

+-- On Mon, 14 Dec 2015, Gerd Hoffmann wrote --+ | Good. Is there a cve number for that one which I can add to the commit | message? No, not yet. I'll request one, once it is approved for the upstream. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053

Re: [Qemu-devel] [PATCH] macio: fix overflow in lba to offset conversion for ATAPI devices

+-- On Mon, 4 Jan 2016, Mark Cave-Ayland wrote --+ | /* Calculate current offset */ | -offset = (int64_t)(s->lba << 11) + s->io_buffer_index; | +offset = ((int64_t)(s->lba) << 11) + s->io_buffer_index; Maybe ((int64_t)s->lba << 11) ? No parenthesis

Re: [Qemu-devel] [PATCH v3] net: ne2000: fix bounds check in ioport operations

+-- On Mon, 4 Jan 2016, Jason Wang wrote --+ | > +if (addr < 32 | > +|| (addr >= NE2000_PMEM_START | > +&& addr + sizeof(uint32_t) - 1 < NE2000_MEM_SIZE)) { | > return ldl_le_p(s->mem + addr); | > } else { | > return 0x; | | Applied to my

Re: [Qemu-devel] [PATCH] i386: avoid null pointer dereference

+-- On Fri, 18 Dec 2015, P J P wrote --+ | A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It | occurs while doing I/O port write operations via hmp interface. In that, | 'current_cpu' remains null as it is not called from cpu_exec loop, which | results in the said issue

[Qemu-devel] [PATVH v2] net: ne2000: fix bounds check in ioport operations

From: Prasad J Pandit While doing ioport r/w operations, ne2000 device emulation suffers from OOB r/w errors. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu Signed-off-by: Prasad J Pandit ---

[Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry value

From: Prasad J Pandit When processing firmware configurations, an OOB r/w access occurs if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0x). Add a check to validate 's->cur_entry' to avoid such access. Reported-by: Donghai Zdh

[Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry value

From: Prasad J Pandit Hello, An OOB r/w access issue was reported by Mr Donghai Zdh, CC'd here. It occurs while processing firmware configurations in Qemu versions prior to 2.4. The OOB memory access crashes the Qemu process on the host. Please see below a (tested)patch

Re: [Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry value

+-- On Tue, 5 Jan 2016, P J P wrote --+ | An OOB r/w access issue was reported by Mr Donghai Zdh, CC'd here. Mr Donghai CC'd now. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] virtio-blk: Allow startup of empty cdroms

(errp, "Device needs media, but drive is empty"); | return; | } The if expression seems little confusing; Maybe -> if (dinfo && !dinfo->media_cd && !blk_is_inserted(conf->conf.blk)) -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry value

+-- On Tue, 5 Jan 2016, Stefan Weil wrote --+ | > -s->cur_offset < e->len) { | > +if (s->cur_entry != FW_CFG_INVALID | > +&& s->cur_entry & FW_CFG_WRITE_CHANNEL | > +&& e->callback | > +&& s->cur_offset < e->len) { | | I suggest to test e != NULL instead of

Re: [Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry value

+-- On Wed, 6 Jan 2016, 朱东海(启路) wrote --+ | Hi, Will you assign a cve to this vulnerability. Yes, I will once the patch is approved upstream. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Qemu-devel] [PATCH v2 for v2.3.0] fw_cfg: add check to validate current entry value

From: Prasad J Pandit When processing firmware configurations, an OOB r/w access occurs if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0x). Add a check to validate 's->cur_entry' to avoid such access. Reported-by: Donghai Zdh

[Qemu-devel] [PATCH v3] net: ne2000: fix bounds check in ioport operations

From: Prasad J Pandit While doing ioport r/w operations, ne2000 device emulation suffers from OOB r/w errors. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATVH v2] net: ne2000: fix bounds check in ioport operations

+-- On Thu, 31 Dec 2015, Jason Wang wrote --+ | Btw, looking at ne2000_mem_writew(), it has: | addr &= ~1; Yes, this seems to ensure that write starts at an even address. | at the beginning, so looks like we are really safe, Need only to care | about writel? Right, I've sent an updated

Re: [Qemu-devel] [PATCH] ide: ahci: reset ncq object to unused on error

+-- On Fri, 8 Jan 2016, John Snow wrote --+ | In both of these error pathways, AIOCB is actually never assigned to | begin with. True, it's mentioned in the commit message. | So it's not necessarily a use-after-free. Yes, right. | I think it should be safe to put ncq_tfs->used = 0

Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

+-- On Sat, 9 Jan 2016, Wolfgang Bumiller wrote --+ | > could say: if (!strcmp(keyname_buf, "<")). | | keyname_len+1 (size instead of length) to include the \0, then yes I think | strcmp can be used this way. The +1 should be fine there (since >= covers | it). Yes, right. --

[Qemu-devel] [PATCH v2] ide: ahci: reset ncq object to unused on error

From: Prasad J Pandit When processing NCQ commands, ACHI device emulation prepares a NCQ transfer object; To which an aio control block(aiocb) object is assigned in 'execute_ncq_command'. In case, when the NCQ command is invalid, the 'aiocb' object is not assigned, and

Re: [Qemu-devel] [PATCH v2] target-mips: Fix ALIGN instruction when bp=0

ead of attachments. And using git-format-patch(1) and git-send-email(1) is more appreciated. I too learned it quite recently. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATVH v2] net: ne2000: fix bounds check in ioport operations

+-- On Thu, 31 Dec 2015, Jason Wang wrote --+ | > -(addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { | > +if (addr < 32 || (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { | | The change is unnecessary. Okay. | > +if (addr < 32 | > +|| (addr >=

Re: [Qemu-devel] [PATCH v2] ide: ahci: reset ncq object to unused on error

+-- On Fri, 8 Jan 2016, John Snow wrote --+ | > ide_state->status = READY_STAT | ERR_STAT; | > ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); | > +ncq_tfs->used = 0; | > } | | Thanks, applied to my IDE tree: | | https://github.com/jnsnow/qemu/commits/ide |

Re: [Qemu-devel] [PATCH] ivshmem: remove redundant assignment, fix crash with msi=off

+-- On Mon, 21 Dec 2015, marcandre.lur...@redhat.com wrote --+ | diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c | index 7d14222..dcfc8cc 100644 | --- a/hw/misc/ivshmem.c | +++ b/hw/misc/ivshmem.c | @@ -355,12 +355,9 @@ static CharDriverState* create_eventfd_chr_device(IVShmemState *s, |

Re: [Qemu-devel] [PATCH 1/3] net/vmxnet3: return 1 on device activation failure

+-- On Mon, 21 Dec 2015, Miao Yan wrote --+ | So return 1 on device activation failure instead of -1; | | Signed-off-by: Miao Yan | --- | hw/net/vmxnet3.c | 2 +- | 1 file changed, 1 insertion(+), 1 deletion(-) | | diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c | index

Re: [Qemu-devel] [PATCH] qmp: return err msg when powerdown a vm when it isn't in running state

+-- On Mon, 21 Dec 2015, Qinghua Jin wrote --+ | -void qmp_system_powerdown(Error **erp) | +void qmp_system_powerdown(Error **errp) | { | +if (!runstate_is_running()) { | +error_setg(errp, "Can't powerdown the Virtual Machine when it isn't running"); | +return; | +} |

Re: [Qemu-devel] [PATCH] scsi: initialise info object with appropriate size

+-- On Mon, 21 Dec 2015, Paolo Bonzini wrote --+ | I can add the Cc to the commit message as well. For now it's enough to | send a message in Cc so that the qemu-stable people notice it. Okay, great! Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13

[Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check

Hello Paolo, all Please see an updated patch below, as per suggestion in -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04057.html === From 344a487d637be20b3fb110bec36cb703e7f6ecaa Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Wed, 23 Dec 2015

Re: [Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds check

+-- On Tue, 22 Dec 2015, Paolo Bonzini wrote --+ | > === | > diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c | > index c57f1a6..2e77e50 100644 | > --- a/hw/net/rocker/rocker.c | > +++ b/hw/net/rocker/rocker.c | > @@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) | >

Re: [Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check

+-- On Tue, 22 Dec 2015, Peter Maydell wrote --+ | Could you submit patches in the usual git send-email format, | please? It's easier for maintainers to process them if they're | not in an odd arrangement that requires manual intervention. | (In particular, comments that aren't intended to go in

[Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check

From: Prasad J Pandit While processing transmit(tx) descriptors in 'tx_consume' routine the switch emulator suffers from an off-by-one error, if a descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) fragments. Fix an incorrect bounds check to avoid it.

Re: [Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check

Hello Jason, all +-- On Mon, 28 Dec 2015, Jason Wang wrote --+ | On 12/23/2015 01:14 PM, P J P wrote: | > +-- On Tue, 22 Dec 2015, Peter Maydell wrote --+ | > | Could you submit patches in the usual git send-email format, | > | please? | > | > Yes, surely will do. I did rea

Re: [Qemu-devel] [PATCH v3] qmp: return err msg when powerdown a vm when it isn't in running state

+-- On Tue, 22 Dec 2015, Qinghua Jin wrote --+ | -void qmp_system_powerdown(Error **erp) | +void qmp_system_powerdown(Error **errp) | { | +if (!runstate_check(RUN_STATE_RUNNING)) { | +error_setg(errp, | + "Can not powerdown virtual machine as it is not running"); | +

[Qemu-devel] [PATCH] scsi: initialise info object with appropriate size

Hello, A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It occurs while processing the SCSI controller's CTRL_GET_INFO command, as the memset(2) call uses driver supplied 'cmd->iov_size' to initialise the '' object. Please see below a proposed patch to fix this issue.

Re: [Qemu-devel] [PATCH 1/3] net/vmxnet3: return 1 on device activation failure

+-- On Tue, 22 Dec 2015, Miao Yan wrote --+ | > If '1' indicates the error, the 'default:' case in the same switch needs to be | > updated too. | | '1' indicates an error on device activation. Not sure about the 'unknown | command' case. Ideally it should be same, inconsistent return codes

[Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds check

Hello Scott, Jiri A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It occurs while processing transmit(tx) descriptors in tx_consume() routine. If a descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) packet fragments, the processing loop suffers an off-by-one

Re: [Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds check

+-- On Tue, 22 Dec 2015, Jiri Pirko wrote --+ | >From f3461d8098a0572786f5a2d7a492863090c73134 Mon Sep 17 00:00:00 2001 | >From: Prasad J Pandit | >Date: Tue, 22 Dec 2015 18:21:00 +0530 | >Subject: [PATCH] net: rocker: fix an incorrect array bounds check | > | >While

Re: [Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds check

+-- On Tue, 22 Dec 2015, Paolo Bonzini wrote --+ | > -if (++iovcnt > ROCKER_TX_FRAGS_MAX) { | > +if (++iovcnt >= ROCKER_TX_FRAGS_MAX) { | | Doesn't this forbid some valid ROCKER_TX_FRAGS_MAX-element iovecs? forbid..? Sorry, I did not get the question. | The check should be

Re: [Qemu-devel] [PATCH] scsi: initialise info object with appropriate size

+-- On Mon, 21 Dec 2015, Paolo Bonzini wrote --+ | > diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | > index d7dc667..576f56c 100644 | > --- a/hw/scsi/megasas.c | > +++ b/hw/scsi/megasas.c | > @@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, | > MegasasCmd *cmd) | >

[Qemu-devel] [PATCH] net: ne2000: fix bounds check in ioport operations

From: Prasad J Pandit While doing ioport r/w oprations, ne2000 device emulation suffers from OOB r/w error. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu Signed-off-by: Prasad J Pandit ---

[Qemu-devel] [PATCH] net: ne2000: fix bounds check in ioport operations

From: Prasad J Pandit Hello, An OOB r/w issue in ne2000 device emulation was reported by Mr Ling Liu, CC'd here. The issue occurs while doing ne2000 ioport r/w operations, due to incorrect array bounds checks. Below is a proposed (tested)patch to fix this issue. Does it

Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

Hello Ling, +-- On Fri, 18 Dec 2015, 刘令 wrote --+ | Can you give this a cve id? Yes, I'll request one once it is accepted upstream. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH for-2.5] eepro100: Prevent two endless loops

son would be best to decide that. Thank you. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH for-2.5] eepro100: Prevent two endless loops

mentioned 256. Not sure what is an ideal count. Thank you. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello Qinghao, +-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+ | Currently what problem do you have? Perhaps I could provide more support. Could you please confirm if the proposed patch here fixes the issue. Secondly there is uncertainty if the CB loop like Jason mentioned earlier is

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello Qinghao, +-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+ | I think the patch can solve this vulnerability. | I confirm that the loop exist , the poc code can prove that. Great! Thank you so much for the confirmation and the POC code. I'll send an updated patch shortly. Thank you. --

Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

+-- On Mon, 11 Jan 2016, Wolfgang Bumiller wrote --+ | Seems we concluded it's best to keep keyname_len around and simply check it | against the sizeof(keyname_buf). | | Here's a full new version as I haven't seen one yet. (With an adapted commit | message and the CVE id added.) Sorry, i

[Qemu-devel] [PATCH] ide: ahci: reset ncq object to unused on error

From: Prasad J Pandit When processing NCQ commands, ACHI device emulation prepares a NCQ transfer object; To which an aio control block(aiocb) object is assigned in 'execute_ncq_command'. In case, when the NCQ command is invalid, the 'aiocb' object is not assigned, and

Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

)) Actually, only use for 'keyname_len' is in the subsequent if statement, which IIUC compares the keyname_buf for "<" key. Maybe it could say + if (!strncmp(keyname_buf, "<-", 2)) and remove the 'keyname_len' altogether. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

Hello, +-- On Fri, 8 Jan 2016, Wolfgang Bumiller wrote --+ | > if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { | > pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); | > -keyname_len = 4; | | keyname_buf is a char[16] so 4 will not overflow it. | |

Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

Hello, +-- On Sun, 10 Jan 2016, Michael Tokarev wrote --+ | So, what's the status of this issue now? | (it is CVE-2015-8619 btw, maybe worth to mention this in the commit message) Yes, if the patch is not yet merged upstream, it'd be good to include this CVE in the commit message. --

Re: [Qemu-devel] [PATCH v2 for v2.3.0] fw_cfg: add check to validate current entry value

Hello, +-- On Wed, 6 Jan 2016, P J P wrote --+ | When processing firmware configurations, an OOB r/w access occurs | if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0x). | Add a check to validate 's->cur_entry' to avoid such access. | | Reported-by: Donghai Zdh <donghai...

Re: [Qemu-devel] [PATCH] net: mipsnet: check transmit buffer size before sending

+-- On Thu, 2 Jun 2016, Peter Maydell wrote --+ | > case MIPSNET_TX_DATA_COUNT: | > - s->tx_count = (val <= MAX_ETH_FRAME_SIZE) ? val : 0; | > +s->tx_count = (val < MAX_ETH_FRAME_SIZE) ? val : MAX_ETH_FRAME_SIZE; | > s->tx_written = 0; | | This is a behaviour change

Re: [Qemu-devel] [PATCH] net: mipsnet: check transmit buffer size before sending

+-- On Fri, 3 Jun 2016, P J P wrote --+ | +-- On Thu, 2 Jun 2016, Peter Maydell wrote --+ | | > case MIPSNET_TX_DATA_COUNT: | | > - s->tx_count = (val <= MAX_ETH_FRAME_SIZE) ? val : 0; | | > +s->tx_count = (val < MAX_ETH_FRAME_SIZE) ? val : MAX_ETH_FRAME_S

Re: [Qemu-devel] [PATCH v2] scsi: megasas: initialise local configuration data buffer

+-- On Wed, 25 May 2016, P J P wrote --+ | Update as per | -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04402.html | | diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | index dcbd3e1..bf642d4 100644 | --- a/hw/scsi/megasas.c | +++ b/hw/scsi/megasas.c | @@ -1293,7 +129

Re: [Qemu-devel] [PATCH] scsi: mptsas: infinite loop while fetching requests

+-- On Tue, 24 May 2016, P J P wrote --+ | diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c | index 499c146..be88e16 100644 | --- a/hw/scsi/mptsas.c | +++ b/hw/scsi/mptsas.c | @@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s) | hwaddr addr; | int size

Re: [Qemu-devel] [PATCH v2] scsi: megasas: initialise local configuration data buffer

+-- On Tue, 7 Jun 2016, Paolo Bonzini wrote --+ | They are in already. In particular this is commit | d37af740730dbbb93960cd318e040372d04d6dcf. Okay, thank you. (sorry to bother you) -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] scsi: mptsas: infinite loop while fetching requests

+-- On Tue, 7 Jun 2016, Paolo Bonzini wrote --+ | > | +if (s->state != MPI_IOC_STATE_OPERATIONAL) { | > | +mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); | > | +return; | > | +} | > | while (!MPTSAS_FIFO_EMPTY(s, request_post)) { | > |

Re: [Qemu-devel] [PATCH] net: mipsnet: check transmit buffer size before sending

Hello Jason, +-- On Wed, 8 Jun 2016, Jason Wang wrote --+ | We need to fix this issue, but instead of changing the behavior, is it | better the add a check in MIPSNET_TX_DATA_BUFFER? Yes, the patch has that too. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90

[Qemu-devel] [PATCH v2] net: mipsnet: check transmit buffer size before sending

From: Prasad J Pandit When processing MIPSnet I/O port write operation, it uses a transmit buffer tx_buffer[MAX_ETH_FRAME_SIZE=1514]. Two indices 's->tx_written' and 's->tx_count' are used to control data written to this buffer. If the two were to be equal before writing,

[Qemu-devel] [PATCH] scsi: megasas: null terminate bios version buffer

From: Prasad J Pandit While reading information via 'megasas_ctrl_get_info' routine, a local bios version buffer isn't null terminated. Add the terminating null byte to avoid any OOB access. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit

Re: [Qemu-devel] [PATCH v2] scsi: esp: check TI buffer index before read/write

+-- On Tue, 31 May 2016, P J P wrote --+ | switch (saddr) { | case ESP_FIFO: | -if (s->ti_size > 0) { | +if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { | +/* Data out. */ | +qemu_log_mask(LOG_UNIMP, "esp: PIO data read

[Qemu-devel] [PATCH v3] scsi: esp: check TI buffer index before read/write

From: Prasad J Pandit The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte FIFO buffers. One is used to handle commands and other is for information transfer. Three control variables 'ti_rptr', 'ti_wptr' and 'ti_size' are used to control r/w access to the

Re: [Qemu-devel] [PATCH v2] net: mipsnet: check transmit buffer size before sending

Hello Jason, +-- On Mon, 13 Jun 2016, Jason Wang wrote --+ | > case MIPSNET_TX_DATA_BUFFER: | > s->tx_buffer[s->tx_written++] = val; | | I believe we may still have a buffer overflow here, no? No, this is the overflow that the patch is meant to fix. | > -if

[Qemu-devel] [PATCH v3] scsi: esp: check length before dma read

From: Prasad J Pandit While doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access. Also increase the command buffer size to 32, which is maximum when 's->do_cmd' is set. Reported-by: Li Qiang

Re: [Qemu-devel] [PATCH] scsi: esp: check length before dma read

+-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+ | So a better fix is to change cmdbuf[] to 32 bytes in | include/hw/scsi/esp.h, and define a constant ESP_CMDBUF_SZ equal to 32 | that can be used in handle_ti and in the definition of cmdbuf. Sent a revised patch v3. Thank you. -- Prasad J Pandit

[Qemu-devel] [PATCH] scsi: esp: check length before dma read

From: Prasad J Pandit While doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit ---

[Qemu-devel] [PATCH v2] scsi: esp: check length before dma read

From: Prasad J Pandit While doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd

+-- On Wed, 15 Jun 2016, Laszlo Ersek wrote --+ | And I guess Prasad will submit a new version of the buffer overflow fix, | on top of this patch, according to your previous message | . Yes, I'm preparing an update. -- Prasad

Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read

Hello Paolo, +-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+ | Actually, the commit message is wrong. The length parameter cannot | exceed the buffer size anymore. It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is called via 'esp_transfer_data' with 's->do_cmd'

[Qemu-devel] [PATCH v4] scsi: esp: check length before dma read

From: Prasad J Pandit While doing DMA read into ESP command buffer 's->cmdbuf', it could write past the 's->cmdbuf' area, if it was partially filled; ie. 's->cmdlen' wasn't set at the start of the buffer. Check 'len' to avoid OOB access. Also increase the command buffer

Re: [Qemu-devel] [PATCH] scsi: esp: check TI buffer index before read/write

Hello Peter, +-- On Mon, 30 May 2016, Peter Maydell wrote --+ | > +} else if (s->ti_rptr < TI_BUFSZ) { | > s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; | > +} else { | > +trace_esp_error_fifo_overrun(); | | Isn't this an underrun, not

[Qemu-devel] [PATCH] scsi: check buffer length before reading scsi command

From: Prasad J Pandit The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi command into a buffer. Add check to validate command length

[Qemu-devel] [PATCH] net: mipsnet: check transmit buffer size before sending

From: Prasad J Pandit When processing MIPSnet I/O port write operation, it uses a transmit buffer tx_buffer[MAX_ETH_FRAME_SIZE=1514]. Two indices 's->tx_written' and 's->tx_count' are used to control data written to this buffer. If the two were to be equal before writing,

  1   2   3   4   5   6   7   8   9   10   >