haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw
History
Petr Matousek 9f7c594c00 pcnet: force the buffer access to be in bounds during tx 
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.

Fix this by only allowing to queue maximum sizeof(buffer) bytes.

This is CVE-2015-3209.

[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Matt Tait <matttait@google.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-06-10 15:03:02 +01:00
..
9pfs virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
acpi ich9: implement SMI_LOCK 2015-06-05 19:45:13 +02:00
alpha hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
arm pflash_cfi01: change big-endian property to BIT type 2015-06-05 17:36:31 +02:00
audio gus: clean up MemoryRegionPortio 2015-04-27 18:24:18 +02:00
block * KVM error improvement from Laurent 2015-06-08 15:57:41 +01:00
bt bt-sdp: fix broken uuids power-of-2 calculation 2015-04-28 15:36:08 +02:00
char Move parallel_hds_isa_init to hw/isa/isa-bus.c 2015-06-05 17:09:58 +02:00
core QemuOpts: Convert qemu_opts_foreach() to Error 2015-06-09 07:37:37 +02:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-11 20:03:57 +10:00
display framebuffer: check memory_region_is_logging 2015-06-05 17:09:59 +02:00
dma Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
gpio pl061: fix wrong calculation of GPIOMIS register 2015-06-02 14:56:25 +01:00
i2c ACPI: split CONFIG_ACPI into 4 pieces 2015-05-29 11:28:59 +01:00
i386 target-i386: use memory API to implement SMRAM 2015-06-05 17:36:39 +02:00
ide -----BEGIN PGP SIGNATURE----- 2015-06-08 14:07:32 +01:00
input virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
intc trivial patches for 2015-06-03 2015-06-04 12:49:15 +01:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
isa ich9: implement SMI_LOCK 2015-06-05 19:45:13 +02:00
lm32 hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
m68k m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:35:24 +01:00
mem pc-dimm: don't assert if pc-dimm alignment != hotpluggable mem range size 2015-06-04 11:20:34 +02:00
microblaze microblaze: fix memory leak 2015-04-30 16:06:18 +03:00
mips hw/acpi: piix4_pm_init(): take fw_cfg object no more 2015-06-04 11:25:42 +02:00
misc macio: Convert to realize() 2015-06-03 23:56:49 +02:00
moxie memory: add parameter errp to memory_region_init_ram 2014-09-09 13:41:43 +02:00
net pcnet: force the buffer access to be in bounds during tx 2015-06-10 15:03:02 +01:00
nvram fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci pc, acpi, virtio, tpm 2015-06-04 18:33:24 +01:00
pci-bridge hw/pxb: add numa_node parameter 2015-06-03 18:19:18 +02:00
pci-host q35: implement TSEG 2015-06-05 19:45:13 +02:00
pcmcia hmp: Remove "info pcmcia" 2014-10-24 12:19:11 +01:00
ppc Patch queue for ppc - 2015-06-03 2015-06-04 14:04:14 +01:00
s390x virtio-ccw/migration: Migrate config vector for virtio devices 2015-06-03 18:07:05 +02:00
scsi virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
sd hw/sd: Don't pass BlockBackend to sd_reset() 2015-05-12 11:57:16 +01:00
sh4 Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
sparc hw/sparc/sun4m.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
sparc64 fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
ssi omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
timer hw/timer/arm_timer.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
tpm TPM2 ACPI table support 2015-06-01 14:18:54 +02:00
tricore target-tricore: check return value before using it 2014-11-02 10:04:34 +03:00
unicore32 hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
usb trivial patches for 2015-05-09 2015-05-11 13:54:00 +01:00
vfio exec: move rcu_read_lock/unlock to address_space_translate callers 2015-04-30 16:55:32 +02:00
virtio memory: prepare for multiple bits in the dirty log mask 2015-06-05 17:09:59 +02:00
watchdog i6300esb: Fix signed integer overflow 2015-03-25 13:38:05 +01:00
xen xen/pt: unknown PCI config space fields should be read-only 2015-06-02 15:07:01 +00:00
xenpv hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
xtensa xtensa: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00