On 01/18/2016 03:04 PM, Peter Crosthwaite wrote:
> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote:
>>
>> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
>>> gem_receive copies a packet received from network into an rxbuf[2048]
>>> array on stack, with size limited by
On Mon, Jan 18, 2016 at 12:12 AM, Jason Wang wrote:
>
>
> On 01/18/2016 03:04 PM, Peter Crosthwaite wrote:
>> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote:
>>>
>>> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
gem_receive copies a packet
On 01/18/2016 05:08 PM, Peter Crosthwaite wrote:
> On Mon, Jan 18, 2016 at 12:12 AM, Jason Wang wrote:
>>
>> On 01/18/2016 03:04 PM, Peter Crosthwaite wrote:
>>> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote:
On 01/14/2016 05:43 PM, Michael
On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote:
>
>
> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
>> gem_receive copies a packet received from network into an rxbuf[2048]
>> array on stack, with size limited by descriptor length set by guest. If
>> guest is
On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
> gem_receive copies a packet received from network into an rxbuf[2048]
> array on stack, with size limited by descriptor length set by guest. If
> guest is malicious and specifies a descriptor length that is too large,
> and should packet size
+-- On Thu, 14 Jan 2016, Michael S. Tsirkin wrote --+
| gem_receive copies a packet received from network into an rxbuf[2048]
| array on stack, with size limited by descriptor length set by guest. If
| guest is malicious and specifies a descriptor length that is too large,
| and should packet
gem_receive copies a packet received from network into an rxbuf[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
> gem_receive copies a packet received from network into an rxbuf[2048]
> array on stack, with size limited by descriptor length set by guest. If
> guest is malicious and specifies a descriptor length that is too large,
> and should packet size
+-- On Fri, 15 Jan 2016, Jason Wang wrote --+
| Looks like we need similar issue in gen_receive(), need to fix that?
Yes, I'm preparing a patch.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F