Headline

CVE-2015-7504: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate recei

Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.

7 years ago

CVE

Open in Source

#dos #git #buffer_overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Jason Wang

Subject:

[Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504)

Date:

Mon, 30 Nov 2015 15:38:22 +0800

From: Prasad J Pandit address@hidden

In loopback mode, pcnet_receive routine appends CRC code to the receive buffer. If the data size given is same as the buffer size, the appended CRC code overwrites 4 bytes after s->buffer. Added a check to avoid that.

Reported by: Qinghao Tang address@hidden Cc: address@hidden Signed-off-by: Prasad J Pandit address@hidden Signed-off-by: Jason Wang address@hidden

hw/net/pcnet.c | 8 ++++±– 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 0eb3cc4…309c40b 100644 — a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) uint32_t fcs = ~0; uint8_t *p = src;

```
           while (p != &src\[size-4\])
```

           while (p != &src\[size\])
               CRC(fcs, \*p++);
           crc\_err = (\*(uint32\_t \*)p != htonl(fcs));
       }

@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s) bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);

     /\* if multi-tmd packet outsizes s->buffer then skip it silently.

      Note: this is not what real hw does \*/

   if (s->xmit\_pos + bcnt > sizeof(s->buffer)) {

    \* Note: this is not what real hw does.

    \* Last four bytes of s->buffer are used to store CRC FCS code.

```
    \*/
```

   if (s->xmit\_pos + bcnt > sizeof(s->buffer) - 4) {
       s->xmit\_pos = -1;
       goto txdone;
   }

– 2.5.0

[Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504), Jason Wang <=
- [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512), Jason Wang, 2015/11/30
  - Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512), Michael S. Tsirkin, 2015/11/30
- Re: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504), Michael S. Tsirkin, 2015/11/30
Prev by Date: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
Next by Date: Re: [Qemu-devel] [PATCH] Give detailed info when pcie downstream port init failed
Previous by thread: [Qemu-devel] [PULL 0/3] wxx: Last minute fixes for 2.5
Next by thread: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
Index(es):
- Date
- Thread

Related news

CVE-2015-7512

Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.

8 years ago

CVE

Open in Source

#web #dos #java #buffer_overflow