Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001 |
| 2 | From: Changqing Li <changqing.li@windriver.com> |
| 3 | Date: Mon, 15 Oct 2018 16:38:08 +0800 |
| 4 | Subject: [PATCH] rtl8139: fix possible out of bound access |
| 5 | |
| 6 | In rtl8139_do_receive(), we try to assign size_ to size which converts |
| 7 | from size_t to integer. This will cause troubles when size_ is greater |
| 8 | INT_MAX, this will lead a negative value in size and it can then pass |
| 9 | the check of size < MIN_BUF_SIZE which may lead out of bound access of |
| 10 | for both buf and buf1. |
| 11 | |
| 12 | Fixing by converting the type of size to size_t. |
| 13 | |
| 14 | CC: address@hidden |
| 15 | Reported-by: Daniel Shapira <address@hidden> |
| 16 | Reviewed-by: Michael S. Tsirkin <address@hidden> |
| 17 | Signed-off-by: Jason Wang <address@hidden> |
| 18 | |
| 19 | Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html] |
| 20 | |
| 21 | CVE: CVE-2018-17962 |
| 22 | |
| 23 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 24 | --- |
| 25 | hw/net/rtl8139.c | 8 ++++---- |
| 26 | 1 file changed, 4 insertions(+), 4 deletions(-) |
| 27 | |
| 28 | diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c |
| 29 | index 46daa16..2342a09 100644 |
| 30 | --- a/hw/net/rtl8139.c |
| 31 | +++ b/hw/net/rtl8139.c |
| 32 | @@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t |
| 33 | RTL8139State *s = qemu_get_nic_opaque(nc); |
| 34 | PCIDevice *d = PCI_DEVICE(s); |
| 35 | /* size is the length of the buffer passed to the driver */ |
| 36 | - int size = size_; |
| 37 | + size_t size = size_; |
| 38 | const uint8_t *dot1q_buf = NULL; |
| 39 | |
| 40 | uint32_t packet_header = 0; |
| 41 | @@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t |
| 42 | static const uint8_t broadcast_macaddr[6] = |
| 43 | { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; |
| 44 | |
| 45 | - DPRINTF(">>> received len=%d\n", size); |
| 46 | + DPRINTF(">>> received len=%zu\n", size); |
| 47 | |
| 48 | /* test if board clock is stopped */ |
| 49 | if (!s->clock_enabled) |
| 50 | @@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t |
| 51 | |
| 52 | if (size+4 > rx_space) |
| 53 | { |
| 54 | - DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n", |
| 55 | + DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n", |
| 56 | descriptor, rx_space, size); |
| 57 | |
| 58 | s->IntrStatus |= RxOverflow; |
| 59 | @@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t |
| 60 | if (avail != 0 && RX_ALIGN(size + 8) >= avail) |
| 61 | { |
| 62 | DPRINTF("rx overflow: rx buffer length %d head 0x%04x " |
| 63 | - "read 0x%04x === available 0x%04x need 0x%04x\n", |
| 64 | + "read 0x%04x === available 0x%04x need 0x%04zx\n", |
| 65 | s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8); |
| 66 | |
| 67 | s->IntrStatus |= RxOverflow; |
| 68 | -- |
| 69 | 2.7.4 |
| 70 | |