[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 43/64] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel
From: |
Michael Roth |
Subject: |
[PATCH 43/64] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes |
Date: |
Tue, 19 Oct 2021 09:09:23 -0500 |
From: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Problem reported by openEuler fuzz-sig group.
The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).
Reported-by: Qiang Ning <ningqiang1@huawei.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 11744862f27b9ba6488a247d2fd6bb83d9bc3c8d)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/net/can/can_sja1000.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
index 42d2f99dfb..34eea684ce 100644
--- a/hw/net/can/can_sja1000.c
+++ b/hw/net/can/can_sja1000.c
@@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff,
qemu_can_frame *frame)
}
frame->can_dlc = buff[0] & 0x0f;
+ if (frame->can_dlc > 8) {
+ frame->can_dlc = 8;
+ }
+
if (buff[0] & 0x80) { /* Extended */
frame->can_id |= QEMU_CAN_EFF_FLAG;
frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
@@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff,
qemu_can_frame *frame)
}
frame->can_dlc = buff[1] & 0x0f;
+ if (frame->can_dlc > 8) {
+ frame->can_dlc = 8;
+ }
+
for (i = 0; i < frame->can_dlc; i++) {
frame->data[i] = buff[2 + i];
}
--
2.25.1
- [PATCH 34/64] crypto: Make QCryptoTLSCreds* structures private, (continued)
- [PATCH 34/64] crypto: Make QCryptoTLSCreds* structures private, Michael Roth, 2021/10/19
- [PATCH 35/64] yank: Unregister function when using TLS migration, Michael Roth, 2021/10/19
- [PATCH 36/64] tests: acpi: prepare for changing DSDT tables, Michael Roth, 2021/10/19
- [PATCH 37/64] acpi: pc: revert back to v5.2 PCI slot enumeration, Michael Roth, 2021/10/19
- [PATCH 38/64] tests: acpi: pc: update expected DSDT blobs, Michael Roth, 2021/10/19
- [PATCH 39/64] hw/block/nvme: align with existing style, Michael Roth, 2021/10/19
- [PATCH 40/64] hw/nvme: fix missing check for PMR capability, Michael Roth, 2021/10/19
- [PATCH 03/64] docs/system: Document the removal of "compat" property for POWER CPUs, Michael Roth, 2021/10/19
- [PATCH 41/64] hw/nvme: fix pin-based interrupt behavior (again), Michael Roth, 2021/10/19
- [PATCH 42/64] virtio-balloon: don't start free page hinting if postcopy is possible, Michael Roth, 2021/10/19
- [PATCH 43/64] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes,
Michael Roth <=
- [PATCH 44/64] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT, Michael Roth, 2021/10/19
- [PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30, Michael Roth, 2021/10/19
- [PATCH 46/64] audio: Never send migration section, Michael Roth, 2021/10/19
- [PATCH 47/64] target/arm: Don't skip M-profile reset entirely in user mode, Michael Roth, 2021/10/19
- [PATCH 48/64] virtio-net: fix use after unmap/free for sg, Michael Roth, 2021/10/19
- [PATCH 49/64] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/10/19
- [PATCH 50/64] hmp: Unbreak "change vnc", Michael Roth, 2021/10/19
- [PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB, Michael Roth, 2021/10/19
- [PATCH 51/64] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event, Michael Roth, 2021/10/19
- [PATCH 52/64] uas: add stream number sanity checks., Michael Roth, 2021/10/19