cf8819083b
CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287)
68 lines
2.3 KiB
Diff
68 lines
2.3 KiB
Diff
From: P J P <pjp@fedoraproject.org>
|
|
Date: Tue, 15 Sep 2015 16:40:49 +0530
|
|
Subject: [PATCH] net: add checks to validate ring buffer
|
|
pointers(CVE-2015-5279)
|
|
|
|
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
|
bytes to process network packets. While receiving packets
|
|
via ne2000_receive() routine, a local 'index' variable
|
|
could exceed the ring buffer size, which could lead to a
|
|
memory buffer overflow. Added other checks at initialisation.
|
|
|
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
Signed-off-by: P J P <pjp@fedoraproject.org>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
|
|
---
|
|
hw/net/ne2000.c | 19 +++++++++++++++----
|
|
1 file changed, 15 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
|
index 44a4264..2bdb4c9 100644
|
|
--- a/hw/net/ne2000.c
|
|
+++ b/hw/net/ne2000.c
|
|
@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
|
}
|
|
|
|
index = s->curpag << 8;
|
|
+ if (index >= NE2000_PMEM_END) {
|
|
+ index = s->start;
|
|
+ }
|
|
/* 4 bytes for header */
|
|
total_len = size + 4;
|
|
/* address for next packet (4 bytes for CRC) */
|
|
@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
|
offset = addr | (page << 4);
|
|
switch(offset) {
|
|
case EN0_STARTPG:
|
|
- s->start = val << 8;
|
|
+ if (val << 8 <= NE2000_PMEM_END) {
|
|
+ s->start = val << 8;
|
|
+ }
|
|
break;
|
|
case EN0_STOPPG:
|
|
- s->stop = val << 8;
|
|
+ if (val << 8 <= NE2000_PMEM_END) {
|
|
+ s->stop = val << 8;
|
|
+ }
|
|
break;
|
|
case EN0_BOUNDARY:
|
|
- s->boundary = val;
|
|
+ if (val << 8 < NE2000_PMEM_END) {
|
|
+ s->boundary = val;
|
|
+ }
|
|
break;
|
|
case EN0_IMR:
|
|
s->imr = val;
|
|
@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
|
s->phys[offset - EN1_PHYS] = val;
|
|
break;
|
|
case EN1_CURPAG:
|
|
- s->curpag = val;
|
|
+ if (val << 8 < NE2000_PMEM_END) {
|
|
+ s->curpag = val;
|
|
+ }
|
|
break;
|
|
case EN1_MULT ... EN1_MULT + 7:
|
|
s->mult[offset - EN1_MULT] = val;
|