From b947ac2bf26479e710489739c465c8af336599e7 Mon Sep 17 00:00:00 2001 From: P J P Date: Fri, 4 Sep 2015 17:21:06 +0100 Subject: [PATCH 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) While processing transmit descriptors, it could lead to an infinite loop if 'bytes' was to become zero; Add a check to avoid it. [The guest can force 'bytes' to 0 by setting the hdr_len and mss descriptor fields to 0. --Stefan] Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi Reviewed-by: Thomas Huth Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com --- hw/net/e1000.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 5c6bcd0014..09c9e9d53b 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) memmove(tp->data, tp->header, tp->hdr_len); tp->size = tp->hdr_len; } - } while (split_size -= bytes); + split_size -= bytes; + } while (bytes && split_size); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentation error\n"); From 9bbdbc66e5765068dce76e9269dce4547afd8ad4 Mon Sep 17 00:00:00 2001 From: P J P Date: Tue, 15 Sep 2015 16:40:49 +0530 Subject: [PATCH 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279) Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, which could lead to a memory buffer overflow. Added other checks at initialisation. Reported-by: Qinghao Tang Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi --- hw/net/ne2000.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index 53c704ad41..3798a3b2f2 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) } index = s->curpag << 8; + if (index >= NE2000_PMEM_END) { + index = s->start; + } /* 4 bytes for header */ total_len = size + 4; /* address for next packet (4 bytes for CRC) */ @@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) offset = addr | (page << 4); switch(offset) { case EN0_STARTPG: - s->start = val << 8; + if (val << 8 <= NE2000_PMEM_END) { + s->start = val << 8; + } break; case EN0_STOPPG: - s->stop = val << 8; + if (val << 8 <= NE2000_PMEM_END) { + s->stop = val << 8; + } break; case EN0_BOUNDARY: - s->boundary = val; + if (val << 8 < NE2000_PMEM_END) { + s->boundary = val; + } break; case EN0_IMR: s->imr = val; @@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) s->phys[offset - EN1_PHYS] = val; break; case EN1_CURPAG: - s->curpag = val; + if (val << 8 < NE2000_PMEM_END) { + s->curpag = val; + } break; case EN1_MULT ... EN1_MULT + 7: s->mult[offset - EN1_MULT] = val; From 737d2b3c41d59eb8f94ab7eb419b957938f24943 Mon Sep 17 00:00:00 2001 From: P J P Date: Tue, 15 Sep 2015 16:46:59 +0530 Subject: [PATCH 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi --- hw/net/ne2000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index 3798a3b2f2..010f9efccd 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) if (index <= s->stop) avail = s->stop - index; else - avail = 0; + break; len = size; if (len > avail) len = avail;