Headline
CVE-2015-7504: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate recei
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Jason Wang
Subject:
[Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504)
Date:
Mon, 30 Nov 2015 15:38:22 +0800
From: Prasad J Pandit address@hidden
In loopback mode, pcnet_receive routine appends CRC code to the receive buffer. If the data size given is same as the buffer size, the appended CRC code overwrites 4 bytes after s->buffer. Added a check to avoid that.
Reported by: Qinghao Tang address@hidden Cc: address@hidden Signed-off-by: Prasad J Pandit address@hidden Signed-off-by: Jason Wang address@hidden
hw/net/pcnet.c | 8 ++++±– 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 0eb3cc4…309c40b 100644 — a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) uint32_t fcs = ~0; uint8_t *p = src;
while (p != &src\[size-4\])
while (p != &src\[size\]) CRC(fcs, \*p++); crc\_err = (\*(uint32\_t \*)p != htonl(fcs)); }
@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s) bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
/\* if multi-tmd packet outsizes s->buffer then skip it silently.
Note: this is not what real hw does \*/
if (s->xmit\_pos + bcnt > sizeof(s->buffer)) {
\* Note: this is not what real hw does.
\* Last four bytes of s->buffer are used to store CRC FCS code.
\*/
if (s->xmit\_pos + bcnt > sizeof(s->buffer) - 4) { s->xmit\_pos = -1; goto txdone; }
– 2.5.0
[Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504), Jason Wang <=
- [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512), Jason Wang, 2015/11/30
- Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512), Michael S. Tsirkin, 2015/11/30
- Re: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504), Michael S. Tsirkin, 2015/11/30
- [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512), Jason Wang, 2015/11/30
Prev by Date: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
Next by Date: Re: [Qemu-devel] [PATCH] Give detailed info when pcie downstream port init failed
Previous by thread: [Qemu-devel] [PULL 0/3] wxx: Last minute fixes for 2.5
Next by thread: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
Index(es):
- Date
- Thread
Related news
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.