[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] b947ac: e1000: Avoid infinite loop in process
From: |
GitHub |
Subject: |
[Qemu-commits] [qemu/qemu] b947ac: e1000: Avoid infinite loop in processing transmit ... |
Date: |
Tue, 15 Sep 2015 06:30:04 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: b947ac2bf26479e710489739c465c8af336599e7
https://github.com/qemu/qemu/commit/b947ac2bf26479e710489739c465c8af336599e7
Author: P J P <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M hw/net/e1000.c
Log Message:
-----------
e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Message-id: address@hidden
Commit: 9bbdbc66e5765068dce76e9269dce4547afd8ad4
https://github.com/qemu/qemu/commit/9bbdbc66e5765068dce76e9269dce4547afd8ad4
Author: P J P <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M hw/net/ne2000.c
Log Message:
-----------
net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 737d2b3c41d59eb8f94ab7eb419b957938f24943
https://github.com/qemu/qemu/commit/737d2b3c41d59eb8f94ab7eb419b957938f24943
Author: P J P <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M hw/net/ne2000.c
Log Message:
-----------
net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: b76a0d5db25ad9f81346930230092fdf1e88a5a1
https://github.com/qemu/qemu/commit/b76a0d5db25ad9f81346930230092fdf1e88a5a1
Author: Peter Maydell <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M hw/net/e1000.c
M hw/net/ne2000.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into
staging
This net pull request contains security fixes for qemu.git/master. The patches
should also be applied to stable trees.
The ne2000 NIC model has QEMU memory corruption issue. Both ne2000 and e1000
have an infinite loop.
Please see the patches for CVE numbers and details on the bugs.
# gpg: Signature made Tue 15 Sep 2015 13:02:21 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <address@hidden>"
# gpg: aka "Stefan Hajnoczi <address@hidden>"
* remotes/stefanha/tags/net-pull-request:
net: avoid infinite loop when receiving packets(CVE-2015-5278)
net: add checks to validate ring buffer pointers(CVE-2015-5279)
e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/007e620a7576...b76a0d5db25a
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] b947ac: e1000: Avoid infinite loop in processing transmit ...,
GitHub <=