| Message ID | 1470856340-24394-1-git-send-email-ppandit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> > On 10 Aug 2016, at 22:12 PM, P J P <ppandit@redhat.com> wrote: > > From: Li Qiang <liqiang6-s@360.cn> > > In Vmxnet3 device emulator while processing transmit(tx) queue, > when it reaches end of packet, it calls vmxnet3_complete_packet. > In that local 'txcq_descr' object is not initialised, which could > leak host memory bytes a guest. > > Reported-by: Li Qiang <liqiang6-s@360.cn> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/vmxnet3.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c > index 90f6943..92f6af9 100644 > --- a/hw/net/vmxnet3.c > +++ b/hw/net/vmxnet3.c > @@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) > > VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); > > + memset(&txcq_descr, 0, sizeof(txcq_descr)); > txcq_descr.txdIdx = tx_ridx; > txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); > > -- > 2.5.5 >
Hello Jason, +-- On Thu, 11 Aug 2016, Dmitry Fleytman wrote --+ | Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> | | > @@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) | > | > VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); | > | > + memset(&txcq_descr, 0, sizeof(txcq_descr)); | > txcq_descr.txdIdx = tx_ridx; It seems this one is not pulled upstream yet? There is another one like it. (just checking) Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
On 2016年10月19日 03:35, P J P wrote: > Hello Jason, > > +-- On Thu, 11 Aug 2016, Dmitry Fleytman wrote --+ > | Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> > | > | > @@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) > | > > | > VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); > | > > | > + memset(&txcq_descr, 0, sizeof(txcq_descr)); > | > txcq_descr.txdIdx = tx_ridx; > > It seems this one is not pulled upstream yet? There is another one like it. > (just checking) My bad, this patch was missed for some reason. I've queued this in my tree. Thanks > > Thank you. > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F >
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index 90f6943..92f6af9 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); + memset(&txcq_descr, 0, sizeof(txcq_descr)); txcq_descr.txdIdx = tx_ridx; txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);