dcavalca / rpms / qemu

Forked from rpms/qemu a year ago
Clone

Blame 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch

cf8819
From: P J P <pjp@fedoraproject.org>
cf8819
Date: Tue, 15 Sep 2015 16:40:49 +0530
cf8819
Subject: [PATCH] net: add checks to validate ring buffer
cf8819
 pointers(CVE-2015-5279)
cf8819
cf8819
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
cf8819
bytes to process network packets. While receiving packets
cf8819
via ne2000_receive() routine, a local 'index' variable
cf8819
could exceed the ring buffer size, which could lead to a
cf8819
memory buffer overflow. Added other checks at initialisation.
cf8819
cf8819
Reported-by: Qinghao Tang <luodalongde@gmail.com>
cf8819
Signed-off-by: P J P <pjp@fedoraproject.org>
cf8819
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
cf8819
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
cf8819
---
cf8819
 hw/net/ne2000.c | 19 +++++++++++++++----
cf8819
 1 file changed, 15 insertions(+), 4 deletions(-)
cf8819
cf8819
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
cf8819
index 44a4264..2bdb4c9 100644
cf8819
--- a/hw/net/ne2000.c
cf8819
+++ b/hw/net/ne2000.c
cf8819
@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
cf8819
     }
cf8819
 
cf8819
     index = s->curpag << 8;
cf8819
+    if (index >= NE2000_PMEM_END) {
cf8819
+        index = s->start;
cf8819
+    }
cf8819
     /* 4 bytes for header */
cf8819
     total_len = size + 4;
cf8819
     /* address for next packet (4 bytes for CRC) */
cf8819
@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
cf8819
         offset = addr | (page << 4);
cf8819
         switch(offset) {
cf8819
         case EN0_STARTPG:
cf8819
-            s->start = val << 8;
cf8819
+            if (val << 8 <= NE2000_PMEM_END) {
cf8819
+                s->start = val << 8;
cf8819
+            }
cf8819
             break;
cf8819
         case EN0_STOPPG:
cf8819
-            s->stop = val << 8;
cf8819
+            if (val << 8 <= NE2000_PMEM_END) {
cf8819
+                s->stop = val << 8;
cf8819
+            }
cf8819
             break;
cf8819
         case EN0_BOUNDARY:
cf8819
-            s->boundary = val;
cf8819
+            if (val << 8 < NE2000_PMEM_END) {
cf8819
+                s->boundary = val;
cf8819
+            }
cf8819
             break;
cf8819
         case EN0_IMR:
cf8819
             s->imr = val;
cf8819
@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
cf8819
             s->phys[offset - EN1_PHYS] = val;
cf8819
             break;
cf8819
         case EN1_CURPAG:
cf8819
-            s->curpag = val;
cf8819
+            if (val << 8 < NE2000_PMEM_END) {
cf8819
+                s->curpag = val;
cf8819
+            }
cf8819
             break;
cf8819
         case EN1_MULT ... EN1_MULT + 7:
cf8819
             s->mult[offset - EN1_MULT] = val;