subject:"\[Qemu\-devel\] \[PATCH\] cadence

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-18 Thread Jason Wang

On 01/18/2016 03:04 PM, Peter Crosthwaite wrote: > On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote: >> >> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote: >>> gem_receive copies a packet received from network into an rxbuf[2048] >>> array on stack, with size limited by

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-18 Thread Peter Crosthwaite

On Mon, Jan 18, 2016 at 12:12 AM, Jason Wang wrote: > > > On 01/18/2016 03:04 PM, Peter Crosthwaite wrote: >> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote: >>> >>> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote: gem_receive copies a packet

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-18 Thread Jason Wang

On 01/18/2016 05:08 PM, Peter Crosthwaite wrote: > On Mon, Jan 18, 2016 at 12:12 AM, Jason Wang wrote: >> >> On 01/18/2016 03:04 PM, Peter Crosthwaite wrote: >>> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote: On 01/14/2016 05:43 PM, Michael

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-17 Thread Peter Crosthwaite

On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang wrote: > > > On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote: >> gem_receive copies a packet received from network into an rxbuf[2048] >> array on stack, with size limited by descriptor length set by guest. If >> guest is

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-17 Thread Jason Wang

On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote: > gem_receive copies a packet received from network into an rxbuf[2048] > array on stack, with size limited by descriptor length set by guest. If > guest is malicious and specifies a descriptor length that is too large, > and should packet size

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-14 Thread P J P

+-- On Thu, 14 Jan 2016, Michael S. Tsirkin wrote --+ | gem_receive copies a packet received from network into an rxbuf[2048] | array on stack, with size limited by descriptor length set by guest. If | guest is malicious and specifies a descriptor length that is too large, | and should packet

[Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-14 Thread Michael S. Tsirkin

gem_receive copies a packet received from network into an rxbuf[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow.

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-14 Thread Jason Wang

On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote: > gem_receive copies a packet received from network into an rxbuf[2048] > array on stack, with size limited by descriptor length set by guest. If > guest is malicious and specifies a descriptor length that is too large, > and should packet size

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

2016-01-14 Thread P J P

+-- On Fri, 15 Jan 2016, Jason Wang wrote --+ | Looks like we need similar issue in gen_receive(), need to fix that? Yes, I'm preparing a patch. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

[Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

9 matches

Site Navigation

Mail list logo

Footer information