Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
xen
CVE-2018-17958-qemuu-rtl8139-integer-overflow-l...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-17958-qemuu-rtl8139-integer-overflow-leads-to-buffer-overflow.patch of Package xen
References: bsc#1111007 CVE-2018-17958 In rtl8139_do_receive(), we try to assign size_ to size which converts from size_t to integer. This will cause troubles when size_ is greater INT_MAX, this will lead a negative value in size and it can then pass the check of size < MIN_BUF_SIZE which may lead out of bound access of for both buf and buf1. Fixing by converting the type of size to size_t. CC: address@hidden Reported-by: Daniel Shapira <address@hidden> Reviewed-by: Michael S. Tsirkin <address@hidden> Signed-off-by: Jason Wang <address@hidden> --- hw/net/rtl8139.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c @@ -822,7 +822,7 @@ static ssize_t rtl8139_do_receive(NetCli RTL8139State *s = qemu_get_nic_opaque(nc); PCIDevice *d = PCI_DEVICE(s); /* size is the length of the buffer passed to the driver */ - int size = size_; + size_t size = size_; const uint8_t *dot1q_buf = NULL; uint32_t packet_header = 0; @@ -831,7 +831,7 @@ static ssize_t rtl8139_do_receive(NetCli static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - DPRINTF(">>> received len=%d\n", size); + DPRINTF(">>> received len=%zu\n", size); /* test if board clock is stopped */ if (!s->clock_enabled) @@ -1041,7 +1041,7 @@ static ssize_t rtl8139_do_receive(NetCli if (size+4 > rx_space) { - DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n", + DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n", descriptor, rx_space, size); s->IntrStatus |= RxOverflow; @@ -1152,7 +1152,7 @@ static ssize_t rtl8139_do_receive(NetCli if (avail != 0 && size + 8 >= avail) { DPRINTF("rx overflow: rx buffer length %d head 0x%04x " - "read 0x%04x === available 0x%04x need 0x%04x\n", + "read 0x%04x === available 0x%04x need 0x%04zx\n", s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8); s->IntrStatus |= RxOverflow;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor