qemu/hw/net
Shmulik Ladkani eedeeeffd4 vmxnet3: Do not fill stats if device is inactive
Guest OS may issue VMXNET3_CMD_GET_STATS even before device was
activated (for example in linux, after insmod but prior net-dev open).

Accessing shared descriptors prior device activation is illegal as the
VMXNET3State structures have not been fully initialized.

As a result, guest memory gets corrupted and may lead to guest OS
crashes.

Fix, by not filling the stats descriptors if device is inactive.

Reported-by: Leonid Shatz <leonid.shatz@ravellosystems.com>
Acked-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-10-27 10:30:38 +08:00
..
fsl_etsec typofixes - v4 2015-09-11 10:45:43 +03:00
rocker rocker: Use g_new() & friends where that makes obvious sense 2015-10-08 19:46:47 +03:00
allwinner_emac.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
cadence_gem.c net: cadence_gem: Set initial MAC address 2015-10-27 10:30:30 +08:00
dp8393x.c net/dp8393x: do not use memory_region_init_rom_device with NULL 2015-07-28 09:30:10 +01:00
e1000_regs.h e1000: improve auto-negotiation reporting via mii-tool 2014-06-23 17:38:00 +03:00
e1000.c e1000: use alias for default model 2015-10-12 13:19:29 +08:00
eepro100.c eepro100: Drop nic_can_receive 2015-07-27 14:12:18 +01:00
etraxfs_eth.c etraxfs_eth: Drop eth_can_receive 2015-07-20 17:47:24 +01:00
imx_fec.c i.MX: Add FEC Ethernet Emulator 2015-09-07 10:39:30 +01:00
lan9118.c lan9118: Drop lan9118_can_receive 2015-07-20 17:47:24 +01:00
lance.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
Makefile.objs i.MX: Add FEC Ethernet Emulator 2015-09-07 10:39:30 +01:00
mcf_fec.c hw/net: handle flow control in mcf_fec driver receiver 2015-07-28 11:27:53 +01:00
milkymist-minimac2.c Fix bad error handling after memory_region_init_ram() 2015-09-18 14:39:29 +02:00
mipsnet.c mipsnet: Flush queued packets when receiving is enabled 2015-07-27 14:12:18 +01:00
ne2000-isa.c ne2000: Drop ne2000_can_receive 2015-09-02 14:51:07 +01:00
ne2000.c net: avoid infinite loop when receiving packets(CVE-2015-5278) 2015-09-15 12:51:14 +01:00
ne2000.h ne2000: Drop ne2000_can_receive 2015-09-02 14:51:07 +01:00
opencores_eth.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
pcnet-pci.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
pcnet.c pcnet: remove muldiv64() 2015-09-25 14:53:50 +02:00
pcnet.h pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
rtl8139.c rtl8139: remove muldiv64() 2015-09-25 14:53:29 +02:00
smc91c111.c net: smc91c111: flush packets on RCR register changes 2015-09-17 12:36:03 +01:00
spapr_llan.c spapr: Merge sPAPREnvironment into sPAPRMachineState 2015-07-07 17:44:50 +02:00
stellaris_enet.c stellaris_enet: Flush queued packets when read done 2015-07-27 14:12:18 +01:00
vhost_net.c vhost user: add rarp sending after live migration for legacy guest 2015-10-22 14:34:49 +03:00
virtio-net.c virtio-net: correctly drop truncated packets 2015-10-01 16:16:52 +03:00
vmware_utils.h exec: Make stb_phys input an AddressSpace 2014-02-11 22:57:38 +10:00
vmxnet3.c vmxnet3: Do not fill stats if device is inactive 2015-10-27 10:30:38 +08:00
vmxnet3.h vmxnet3: Add support for VMXNET3_CMD_GET_ADAPTIVE_RING_INFO command 2015-10-12 13:19:29 +08:00
vmxnet_debug.h hw: move target-independent files to subdirectories 2013-04-08 18:13:12 +02:00
vmxnet_rx_pkt.c net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' 2015-07-20 17:39:05 +01:00
vmxnet_rx_pkt.h net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' 2015-07-20 17:39:05 +01:00
vmxnet_tx_pkt.c net/vmxnet3: Refine l2 header validation 2015-10-12 13:19:29 +08:00
vmxnet_tx_pkt.h hw: move target-independent files to subdirectories 2013-04-08 18:13:12 +02:00
xen_nic.c maint: remove unused include for signal.h 2015-09-11 10:21:38 +03:00
xgmac.c xgmac: Drop packets with eth_can_rx is false. 2015-07-27 14:12:18 +01:00
xilinx_axienet.c axienet: Flush queued packets when rx is done 2015-07-27 14:12:18 +01:00
xilinx_ethlite.c xilinx_ethlite: Clean up after commit 2f991ad 2015-03-10 08:15:33 +03:00