diff mbox

net: vmxnet3: check for device_active before write

Message ID 1470659911-13733-1-git-send-email-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit Aug. 8, 2016, 12:38 p.m. UTC 
From: Li Qiang <liqiang6-s@360.cn>

Vmxnet3 device emulator does not check if the device is active,
before using it for write. It leads to a use after free issue,
if the vmxnet3_io_bar0_write routine is called after the device is
deactivated. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/vmxnet3.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Dmitry Fleytman Aug. 8, 2016, 1:08 p.m. UTC | #1 
Acked-by: Dmitry Fleytman <dmitry@daynix.com>

> On 8 Aug 2016, at 15:38 PM, P J P <ppandit@redhat.com> wrote:
> 
> From: Li Qiang <liqiang6-s@360.cn>
> 
> Vmxnet3 device emulator does not check if the device is active,
> before using it for write. It leads to a use after free issue,
> if the vmxnet3_io_bar0_write routine is called after the device is
> deactivated. Add check to avoid it.
> 
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/vmxnet3.c | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index bbf44ad..90f6943 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -1167,6 +1167,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
> {
>     VMXNET3State *s = opaque;
> 
> +    if (!s->device_active) {
> +        return;
> +    }
> +
>     if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
>                         VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
>         int tx_queue_idx =
> -- 
> 2.5.5
>
Jason Wang Aug. 9, 2016, 3:39 a.m. UTC | #2 
On 2016年08月08日 21:08, Dmitry Fleytman wrote:
> Acked-by: Dmitry Fleytman <dmitry@daynix.com>
>
>> On 8 Aug 2016, at 15:38 PM, P J P <ppandit@redhat.com> wrote:
>>
>> From: Li Qiang <liqiang6-s@360.cn>
>>
>> Vmxnet3 device emulator does not check if the device is active,
>> before using it for write. It leads to a use after free issue,
>> if the vmxnet3_io_bar0_write routine is called after the device is
>> deactivated. Add check to avoid it.
>>
>> Reported-by: Li Qiang <liqiang6-s@360.cn>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>> ---
>> hw/net/vmxnet3.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
>> index bbf44ad..90f6943 100644
>> --- a/hw/net/vmxnet3.c
>> +++ b/hw/net/vmxnet3.c
>> @@ -1167,6 +1167,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
>> {
>>      VMXNET3State *s = opaque;
>>
>> +    if (!s->device_active) {
>> +        return;
>> +    }
>> +
>>      if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
>>                          VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
>>          int tx_queue_idx =
>> -- 
>> 2.5.5
>>

Applied, thanks.
diff mbox

Patch

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index bbf44ad..90f6943 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1167,6 +1167,10 @@  vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
 {
     VMXNET3State *s = opaque;
 
+    if (!s->device_active) {
+        return;
+    }
+
     if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
                         VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
         int tx_queue_idx =