qemu/hw-net-xgmac-Fix-buffer-overflow-in-xgmac_enet_send.patch

From 2d18434c1ca66d68f80954be6828a3770176dab4 Mon Sep 17 00:00:00 2001
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Fri, 10 Jul 2020 11:19:41 +0200
Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()

A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
occurs while sending an Ethernet frame due to missing break statements
and improper checking of the buffer size.

Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/xgmac.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
index f49df95b07..f496f7ed4c 100644
--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
         }
         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
 
+        /*
+         * FIXME: these cases of malformed tx descriptors (bad sizes)
+         * should probably be reported back to the guest somehow
+         * rather than simply silently stopping processing, but we
+         * don't know what the hardware does in this situation.
+         * This will only happen for buggy guests anyway.
+         */
         if ((bd.buffer1_size & 0xfff) > 2048) {
             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
                          __func__, bd.buffer1_size & 0xfff);
+            break;
         }
         if ((bd.buffer2_size & 0xfff) != 0) {
             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
                         __func__, bd.buffer2_size & 0xfff);
+            break;
         }
-        if (len >= sizeof(frame)) {
+        if (frame_size + len >= sizeof(frame)) {
             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
-                        "buffer\n" , __func__, len, sizeof(frame));
+                        "buffer\n" , __func__, frame_size + len, sizeof(frame));
             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
                         __func__, bd.buffer1_size, bd.buffer2_size);
+            break;
         }
 
         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
-- 
2.23.0
CVE: fix CVE-2020-12829 CVE-2020-15863 and CVE-2020-16092 sm501: Replace hand written implementation with pixman where possible sm501: Clean up local variables in sm501_2d_operation sm501: Use BIT(x) macro to shorten constant sm501: Shorten long variable names in sm501_2d_operation sm501: Convert printf + abort to qemu_log_mask hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment() hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() Signed-off-by: Ying Fang <fangying1@huawei.com> 2020-09-28 11:54:21 +08:00			`From 2d18434c1ca66d68f80954be6828a3770176dab4 Mon Sep 17 00:00:00 2001`
			`From: Mauro Matteo Cascella <mcascell@redhat.com>`
			`Date: Fri, 10 Jul 2020 11:19:41 +0200`
			`Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()`

			`A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It`
			`occurs while sending an Ethernet frame due to missing break statements`
			`and improper checking of the buffer size.`

			`Reported-by: Ziming Zhang <ezrakiez@gmail.com>`
			`Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>`
			`Reviewed-by: Peter Maydell <peter.maydell@linaro.org>`
			`Signed-off-by: Jason Wang <jasowang@redhat.com>`
			`---`
			`hw/net/xgmac.c \| 14 ++++++++++++--`
			`1 file changed, 12 insertions(+), 2 deletions(-)`

			`diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c`
			`index f49df95b07..f496f7ed4c 100644`
			`--- a/hw/net/xgmac.c`
			`+++ b/hw/net/xgmac.c`
			`@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)`
			`}`
			`len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);`

			`+ /*`
			`+ * FIXME: these cases of malformed tx descriptors (bad sizes)`
			`+ * should probably be reported back to the guest somehow`
			`+ * rather than simply silently stopping processing, but we`
			`+ * don't know what the hardware does in this situation.`
			`+ * This will only happen for buggy guests anyway.`
			`+ */`
			`if ((bd.buffer1_size & 0xfff) > 2048) {`
			`DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "`
			`"xgmac buffer 1 len on send > 2048 (0x%x)\n",`
			`__func__, bd.buffer1_size & 0xfff);`
			`+ break;`
			`}`
			`if ((bd.buffer2_size & 0xfff) != 0) {`
			`DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "`
			`"xgmac buffer 2 len on send != 0 (0x%x)\n",`
			`__func__, bd.buffer2_size & 0xfff);`
			`+ break;`
			`}`
			`- if (len >= sizeof(frame)) {`
			`+ if (frame_size + len >= sizeof(frame)) {`
			`DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "`
			`- "buffer\n" , __func__, len, sizeof(frame));`
			`+ "buffer\n" , __func__, frame_size + len, sizeof(frame));`
			`DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",`
			`__func__, bd.buffer1_size, bd.buffer2_size);`
			`+ break;`
			`}`

			`cpu_physical_memory_read(bd.buffer1_addr, ptr, len);`
			`--`
			`2.23.0`