| Message ID | 1456294293-26027-1-git-send-email-ppandit@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 02/24/2016 02:11 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) > bytes to process network packets. Registers PSTART & PSTOP > define ring buffer size & location. Setting these registers > to invalid values could lead to infinite loop or OOB r/w > access issues. Add check to avoid it. > > Reported-by: Yang Hongke <yanghongke@huawei.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/ne2000.c | 4 ++++ > 1 file changed, 4 insertions(+) > > Update per review: > -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html > > diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c > index b032212..ced4666 100644 > --- a/hw/net/ne2000.c > +++ b/hw/net/ne2000.c > @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) > { > int avail, index, boundary; > > + if (s->stop <= s->start) { > + return 1; > + } > + > index = s->curpag << 8; > boundary = s->boundary << 8; > if (index < boundary) Hongke, would you mind to test this patch to see if it fixes your issue and add a "Tested-by" tag? Thanks
Good day to you! After my test, I find that the issue is fixed with this patch. When receiving packet, ne2000_buffer_full return 1, ne2000_receive immediately return -1,so it avoid infinite loop or OOB r/w access issues. -----邮件原件----- 发件人: Jason Wang [mailto:jasowang@redhat.com] 发送时间: 2016年2月24日 16:13 收件人: P J P; Qemu Developers 抄送: yanghongke; Prasad J Pandit 主题: Re: [PATCH v2] net: ne2000: check ring buffer control registers On 02/24/2016 02:11 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process > network packets. Registers PSTART & PSTOP define ring buffer size & > location. Setting these registers to invalid values could lead to > infinite loop or OOB r/w access issues. Add check to avoid it. > > Reported-by: Yang Hongke <yanghongke@huawei.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/ne2000.c | 4 ++++ > 1 file changed, 4 insertions(+) > > Update per review: > -> > https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html > > diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index b032212..ced4666 > 100644 > --- a/hw/net/ne2000.c > +++ b/hw/net/ne2000.c > @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) { > int avail, index, boundary; > > + if (s->stop <= s->start) { > + return 1; > + } > + > index = s->curpag << 8; > boundary = s->boundary << 8; > if (index < boundary) Hongke, would you mind to test this patch to see if it fixes your issue and add a "Tested-by" tag? Thanks
On 02/24/2016 05:25 PM, yanghongke wrote: > Good day to you! > > After my test, I find that the issue is fixed with this patch. > When receiving packet, ne2000_buffer_full return 1, ne2000_receive immediately return -1,so it avoid infinite loop or OOB r/w access issues. Thanks for the testing. (Btw please use bottom posting on the list). Apply the patch with your "Tested-by". > -----邮件原件----- > 发件人: Jason Wang [mailto:jasowang@redhat.com] > 发送时间: 2016年2月24日 16:13 > 收件人: P J P; Qemu Developers > 抄送: yanghongke; Prasad J Pandit > 主题: Re: [PATCH v2] net: ne2000: check ring buffer control registers > > > > On 02/24/2016 02:11 PM, P J P wrote: >> From: Prasad J Pandit <pjp@fedoraproject.org> >> >> Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process >> network packets. Registers PSTART & PSTOP define ring buffer size & >> location. Setting these registers to invalid values could lead to >> infinite loop or OOB r/w access issues. Add check to avoid it. >> >> Reported-by: Yang Hongke <yanghongke@huawei.com> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> >> --- >> hw/net/ne2000.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> Update per review: >> -> >> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html >> >> diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index b032212..ced4666 >> 100644 >> --- a/hw/net/ne2000.c >> +++ b/hw/net/ne2000.c >> @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) { >> int avail, index, boundary; >> >> + if (s->stop <= s->start) { >> + return 1; >> + } >> + >> index = s->curpag << 8; >> boundary = s->boundary << 8; >> if (index < boundary) > Hongke, would you mind to test this patch to see if it fixes your issue and add a "Tested-by" tag? > > Thanks
On 02/24/2016 02:11 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process > network packets. Registers PSTART & PSTOP define ring buffer size & > location. Setting these registers to invalid values could lead to > infinite loop or OOB r/w access issues. Add check to avoid it. > > Reported-by: Yang Hongke <yanghongke@huawei.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > Tested-by: Yang Hongke <yanghongke@huawei.com> > --- > hw/net/ne2000.c | 4 ++++ > 1 file changed, 4 insertions(+) > > Update per review: > -> > https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html > > diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index b032212..ced4666 > 100644 > --- a/hw/net/ne2000.c > +++ b/hw/net/ne2000.c > @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) { > int avail, index, boundary; > > + if (s->stop <= s->start) { > + return 1; > + } > + > index = s->curpag << 8; > boundary = s->boundary << 8; > if (index < boundary) After my test, the issue is fixed with this patch.
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index b032212..ced4666 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) { int avail, index, boundary; + if (s->stop <= s->start) { + return 1; + } + index = s->curpag << 8; boundary = s->boundary << 8; if (index < boundary)