On Sun, 25 Jan 2026, BALATON Zoltan wrote:
On Sun, 25 Jan 2026, orion cai wrote:
From bee06612dae03a07dd5a9fa407d3a834fad4c635 Mon Sep 17 00:00:00 2001
From: Orion <[email protected]>
Date: Sun, 25 Jan 2026 21:30:22 +0800
Subject: [PATCH v2 0/2] Fix integer overflow in RTL8139 rx buffer handling
This series fixes an integer overflow vulnerability in the RTL8139
It's not a series but a single patch, cover letter not needed but if you have
Sorry there was a second patch that adds test case but it's hard to see as
it's all in one message. The patches in series should be separate messages
with the patches referencing the cover letter so they are grouped
together.
cover it should be separate message with patch being a reply to it not in one
message.
network device emulation that could allow a malicious guest to
bypass DMA bounds checks.
The vulnerability occurs in rtl8139_write_buffer() when RxBufAddr
accumulates to a high value after receiving many packets. The bounds
check using addition (RxBufAddr + size) can overflow, bypassing the
check.
v2 should not be against v1 but against QEMU master as if v1 never happened.
Regards,
BALATON Zoltan
