* [Qemu-devel] [PULL 0/3] Net patches
@ 2015-09-15 12:02 Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi
The following changes since commit 2752e5bedb26fa0c7291f810f9f534b688b2f1d2:
qapi: Fix cgen() for Python older than 2.7 (2015-09-14 18:02:59 +0100)
are available in the git repository at:
git://github.com/stefanha/qemu.git tags/net-pull-request
for you to fetch changes up to 737d2b3c41d59eb8f94ab7eb419b957938f24943:
net: avoid infinite loop when receiving packets(CVE-2015-5278) (2015-09-15 12:51:14 +0100)
----------------------------------------------------------------
This net pull request contains security fixes for qemu.git/master. The patches
should also be applied to stable trees.
The ne2000 NIC model has QEMU memory corruption issue. Both ne2000 and e1000
have an infinite loop.
Please see the patches for CVE numbers and details on the bugs.
----------------------------------------------------------------
P J P (3):
e1000: Avoid infinite loop in processing transmit descriptor
(CVE-2015-6815)
net: add checks to validate ring buffer pointers(CVE-2015-5279)
net: avoid infinite loop when receiving packets(CVE-2015-5278)
hw/net/e1000.c | 3 ++-
hw/net/ne2000.c | 21 ++++++++++++++++-----
2 files changed, 18 insertions(+), 6 deletions(-)
--
2.4.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
@ 2015-09-15 12:02 ` Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279) Stefan Hajnoczi
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi, P J P
From: P J P <pjp@fedoraproject.org>
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
---
hw/net/e1000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 5c6bcd0..09c9e9d 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
memmove(tp->data, tp->header, tp->hdr_len);
tp->size = tp->hdr_len;
}
- } while (split_size -= bytes);
+ split_size -= bytes;
+ } while (bytes && split_size);
} else if (!tp->tse && tp->cptse) {
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentation error\n");
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279)
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
@ 2015-09-15 12:02 ` Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Stefan Hajnoczi
2015-09-15 13:04 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi, P J P
From: P J P <pjp@fedoraproject.org>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/ne2000.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 53c704a..3798a3b 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
}
index = s->curpag << 8;
+ if (index >= NE2000_PMEM_END) {
+ index = s->start;
+ }
/* 4 bytes for header */
total_len = size + 4;
/* address for next packet (4 bytes for CRC) */
@@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
offset = addr | (page << 4);
switch(offset) {
case EN0_STARTPG:
- s->start = val << 8;
+ if (val << 8 <= NE2000_PMEM_END) {
+ s->start = val << 8;
+ }
break;
case EN0_STOPPG:
- s->stop = val << 8;
+ if (val << 8 <= NE2000_PMEM_END) {
+ s->stop = val << 8;
+ }
break;
case EN0_BOUNDARY:
- s->boundary = val;
+ if (val << 8 < NE2000_PMEM_END) {
+ s->boundary = val;
+ }
break;
case EN0_IMR:
s->imr = val;
@@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
s->phys[offset - EN1_PHYS] = val;
break;
case EN1_CURPAG:
- s->curpag = val;
+ if (val << 8 < NE2000_PMEM_END) {
+ s->curpag = val;
+ }
break;
case EN1_MULT ... EN1_MULT + 7:
s->mult[offset - EN1_MULT] = val;
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278)
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279) Stefan Hajnoczi
@ 2015-09-15 12:02 ` Stefan Hajnoczi
2015-09-15 13:04 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi, P J P
From: P J P <pjp@fedoraproject.org>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/ne2000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 3798a3b..010f9ef 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
if (index <= s->stop)
avail = s->stop - index;
else
- avail = 0;
+ break;
len = size;
if (len > avail)
len = avail;
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PULL 0/3] Net patches
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
` (2 preceding siblings ...)
2015-09-15 12:02 ` [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Stefan Hajnoczi
@ 2015-09-15 13:04 ` Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2015-09-15 13:04 UTC (permalink / raw
To: Stefan Hajnoczi; +Cc: QEMU Developers, qemu-stable
On 15 September 2015 at 13:02, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> The following changes since commit 2752e5bedb26fa0c7291f810f9f534b688b2f1d2:
>
> qapi: Fix cgen() for Python older than 2.7 (2015-09-14 18:02:59 +0100)
>
> are available in the git repository at:
>
> git://github.com/stefanha/qemu.git tags/net-pull-request
>
> for you to fetch changes up to 737d2b3c41d59eb8f94ab7eb419b957938f24943:
>
> net: avoid infinite loop when receiving packets(CVE-2015-5278) (2015-09-15 12:51:14 +0100)
>
> ----------------------------------------------------------------
> This net pull request contains security fixes for qemu.git/master. The patches
> should also be applied to stable trees.
>
> The ne2000 NIC model has QEMU memory corruption issue. Both ne2000 and e1000
> have an infinite loop.
>
> Please see the patches for CVE numbers and details on the bugs.
>
> ----------------------------------------------------------------
Applied to master, thanks.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-15 13:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279) Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Stefan Hajnoczi
2015-09-15 13:04 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).