cadence_gem: fix buffer overflow

gem_transmit copies a packet from guest into an tx_packet[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow. Reported-by: N 刘令 <liuling-it@360.cn> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Jason Wang <jasowang@redhat.com>

cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow. Reported-by: N 刘令 <liuling-it@360.cn> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Jason Wang <jasowang@redhat.com>
d7f05365 · Michael S. Tsirkin · Jason Wang · 244381ec · d7f05365
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

hw/net/cadence_gem.c hw/net/cadence_gem.c +8 -0

未找到文件。
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s)
            break;
        }

+        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
+            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
+                     (unsigned)packet_desc_addr,
+                     (unsigned)tx_desc_get_length(desc),
+                     sizeof(tx_packet) - (p - tx_packet));
+            break;
+        }
+
        /* Gather this fragment of the packet from "dma memory" to our contig.
         * buffer.
         */