|
|
7711c0 |
From 72e7bb00aef5e81d870d44e3697d0a247a3bb3af Mon Sep 17 00:00:00 2001
|
|
|
7711c0 |
From: Xiao Wang <jasowang@redhat.com>
|
|
|
7711c0 |
Date: Fri, 17 May 2019 07:29:35 +0200
|
|
|
7711c0 |
Subject: [PATCH 1/9] rtl8139: fix possible out of bound access
|
|
|
7711c0 |
|
|
|
7711c0 |
RH-Author: Xiao Wang <jasowang@redhat.com>
|
|
|
7711c0 |
Message-id: <1558078177-372-2-git-send-email-jasowang@redhat.com>
|
|
|
7711c0 |
Patchwork-id: 88013
|
|
|
7711c0 |
O-Subject: [RHEL7.7 qemu-kvm-rhev PATCH 1/3] rtl8139: fix possible out of bound access
|
|
|
7711c0 |
Bugzilla: 1636780
|
|
|
7711c0 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
7711c0 |
RH-Acked-by: Jens Freimann <jfreimann@redhat.com>
|
|
|
7711c0 |
RH-Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
|
|
|
7711c0 |
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
7711c0 |
|
|
|
7711c0 |
Bugzilla: 1636727
|
|
|
7711c0 |
|
|
|
7711c0 |
In rtl8139_do_receive(), we try to assign size_ to size which converts
|
|
|
7711c0 |
from size_t to integer. This will cause troubles when size_ is greater
|
|
|
7711c0 |
INT_MAX, this will lead a negative value in size and it can then pass
|
|
|
7711c0 |
the check of size < MIN_BUF_SIZE which may lead out of bound access of
|
|
|
7711c0 |
for both buf and buf1.
|
|
|
7711c0 |
|
|
|
7711c0 |
Fixing by converting the type of size to size_t.
|
|
|
7711c0 |
|
|
|
7711c0 |
CC: qemu-stable@nongnu.org
|
|
|
7711c0 |
Reported-by: Daniel Shapira <daniel@twistlock.com>
|
|
|
7711c0 |
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
7711c0 |
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
|
7711c0 |
(cherry picked from commit 1a326646fef38782e5542280040ec3ea23e4a730)
|
|
|
7711c0 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
7711c0 |
---
|
|
|
7711c0 |
hw/net/rtl8139.c | 8 ++++----
|
|
|
7711c0 |
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
7711c0 |
|
|
|
7711c0 |
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
|
7711c0 |
index bc37326..d343fb9 100644
|
|
|
7711c0 |
--- a/hw/net/rtl8139.c
|
|
|
7711c0 |
+++ b/hw/net/rtl8139.c
|
|
|
7711c0 |
@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
|
|
|
7711c0 |
RTL8139State *s = qemu_get_nic_opaque(nc);
|
|
|
7711c0 |
PCIDevice *d = PCI_DEVICE(s);
|
|
|
7711c0 |
/* size is the length of the buffer passed to the driver */
|
|
|
7711c0 |
- int size = size_;
|
|
|
7711c0 |
+ size_t size = size_;
|
|
|
7711c0 |
const uint8_t *dot1q_buf = NULL;
|
|
|
7711c0 |
|
|
|
7711c0 |
uint32_t packet_header = 0;
|
|
|
7711c0 |
@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
|
|
|
7711c0 |
static const uint8_t broadcast_macaddr[6] =
|
|
|
7711c0 |
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
|
|
|
7711c0 |
|
|
|
7711c0 |
- DPRINTF(">>> received len=%d\n", size);
|
|
|
7711c0 |
+ DPRINTF(">>> received len=%zu\n", size);
|
|
|
7711c0 |
|
|
|
7711c0 |
/* test if board clock is stopped */
|
|
|
7711c0 |
if (!s->clock_enabled)
|
|
|
7711c0 |
@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
|
|
|
7711c0 |
|
|
|
7711c0 |
if (size+4 > rx_space)
|
|
|
7711c0 |
{
|
|
|
7711c0 |
- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
|
|
|
7711c0 |
+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
|
|
|
7711c0 |
descriptor, rx_space, size);
|
|
|
7711c0 |
|
|
|
7711c0 |
s->IntrStatus |= RxOverflow;
|
|
|
7711c0 |
@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
|
|
|
7711c0 |
if (avail != 0 && RX_ALIGN(size + 8) >= avail)
|
|
|
7711c0 |
{
|
|
|
7711c0 |
DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
|
|
|
7711c0 |
- "read 0x%04x === available 0x%04x need 0x%04x\n",
|
|
|
7711c0 |
+ "read 0x%04x === available 0x%04x need 0x%04zx\n",
|
|
|
7711c0 |
s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
|
|
|
7711c0 |
|
|
|
7711c0 |
s->IntrStatus |= RxOverflow;
|
|
|
7711c0 |
--
|
|
|
7711c0 |
1.8.3.1
|
|
|
7711c0 |
|