| Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce] |
| 2 | CVE: CVE-2016-7909 |
| 3 | |
| 4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 5 | --- |
| 6 | From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001 |
| 7 | From: Prasad J Pandit <pjp@fedoraproject.org> |
| 8 | Date: Fri, 30 Sep 2016 00:27:33 +0530 |
| 9 | Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length |
| 10 | |
| 11 | The AMD PC-Net II emulator has set of control and status(CSR) |
| 12 | registers. Of these, CSR76 and CSR78 hold receive and transmit |
| 13 | descriptor ring length respectively. This ring length could range |
| 14 | from 1 to 65535. Setting ring length to zero leads to an infinite |
| 15 | loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it. |
| 16 | |
| 17 | Reported-by: Li Qiang <liqiang6-s@360.cn> |
| 18 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| 19 | Signed-off-by: Jason Wang <jasowang@redhat.com> |
| 20 | --- |
| 21 | hw/net/pcnet.c | 3 +++ |
| 22 | 1 file changed, 3 insertions(+) |
| 23 | |
| 24 | diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c |
| 25 | index 198a01f..3078de8 100644 |
| 26 | --- a/hw/net/pcnet.c |
| 27 | +++ b/hw/net/pcnet.c |
| 28 | @@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) |
| 29 | case 47: /* POLLINT */ |
| 30 | case 72: |
| 31 | case 74: |
| 32 | + break; |
| 33 | case 76: /* RCVRL */ |
| 34 | case 78: /* XMTRL */ |
| 35 | + val = (val > 0) ? val : 512; |
| 36 | + break; |
| 37 | case 112: |
| 38 | if (CSR_STOP(s) || CSR_SPND(s)) |
| 39 | break; |
| 40 | -- |
| 41 | 2.10.1 |
| 42 | |