| commit | d7f053652fef48bee7c461c162c8d4d2c96ab157 | |
| author | Michael S. Tsirkin <mst@redhat.com> | |
| Thu, 14 Jan 2016 09:43:30 +0000 (14 11:43 +0200) | ||
| committer | Jason Wang <jasowang@redhat.com> | |
| Thu, 4 Feb 2016 05:22:06 +0000 (4 13:22 +0800) | ||
| tree | 3f330b046e6102caf7fabb18ede347802630419e | treesnapshot (tar.gz zip) |
| parent | 244381ec19ce1412b474f41b5f30fe1da846451b | commitdiff |
cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
| hw/net/cadence_gem.c | diffblobblamehistory |