From patchwork Fri Feb 28 17:47:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 869287 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp932267wrz; Fri, 28 Feb 2025 09:49:11 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUKsydGAX0K9GRUdvoC59W19rmD4J8KexzhVs4t1ibfJrwMh6L/+9ssyGCs3lB7B0Yi8jeFng==@linaro.org X-Google-Smtp-Source: AGHT+IHCFYtkTQz7AI2pQWcB2Ih++V2lwFBLR3zUE/mnimdtHHYgFrctQ+SncZK7Z0SOU49gejZM X-Received: by 2002:a05:622a:14:b0:472:133f:93b9 with SMTP id d75a77b69052e-474bc11526cmr62169871cf.43.1740764951604; Fri, 28 Feb 2025 09:49:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740764951; cv=none; d=google.com; s=arc-20240605; b=HqPExNzbyzIybUr6dWIBSs1yzv1bEW++kDh1sywZRHybrcAy9rf7h6HNq0LiMKCLHX ZzvErwTMXEFsqnt/1FqmvHbVJsP7xZeWIGTxn+Vp0khmpvTNCE42ZD35b2Uu52bppemz R/xLVbCDhuLJ+Vs7zTZXH/8SyHxbR4X+149fBTS725j3gYm1q8gsnGZgB6Rn6r2mnLTi x4+rYdYlDnAp0qH6TY/PFJC53vr+pnfVJwgzHpTL1yZIsaFFsQgMfOMzU6snGdMZJ64u 2p6zt/ZundUZ5ZJqMfd7FH1x0SLfnudaoe34k3c/gbPLCj41xjkMzlG/Pc65DrhtsG3S XuUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=I40sF1i9jFqYAyQf3qwE84BFM4SpyXkD56Y42KHQEPA=; fh=aDuvzkc5FgnTtGz0LJPOTxHV0thsK+ExaF4Ax/uQVIo=; b=W2oHbhsVM6zzB15J3ioW+m0fh0mTTzre32rbjT6mC22X/Jpf3fFihhKg7MiSPH2YGX MilkKm+N24zMEJRLbe9pycdcMs7ZhldCwxaT93FCJSnVOINv6n/s9qBq3+x7VQGtI1Q8 6y+TZMofvja+MJKhQY9+BwEez0ZFRwD7LjdjcK5LgpSltVxmBGsIeM7rthS02V2Oi46t uFMbNVTq/EHUxS7x3PQorOMQTJQHtUxtmrqgJnxB4r2d/VErIZA7ZhHAJerW4NFlyQ1D O4tVwcPWeYxk68vNon77E6SnLKi+CmTngzEOpmIScA7aq/ZXgbQzPK5BOwMvzvjuaXBN QAqw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sksizvwq; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id d75a77b69052e-4747243a1b6si36557241cf.546.2025.02.28.09.49.11 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 28 Feb 2025 09:49:11 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sksizvwq; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1to4TB-0007VI-B8; Fri, 28 Feb 2025 12:48:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1to4T3-0007JL-40 for qemu-devel@nongnu.org; Fri, 28 Feb 2025 12:48:13 -0500 Received: from mail-wm1-x333.google.com ([2a00:1450:4864:20::333]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1to4T0-0005MA-NW for qemu-devel@nongnu.org; Fri, 28 Feb 2025 12:48:08 -0500 Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-43996e95114so17171925e9.3 for ; Fri, 28 Feb 2025 09:48:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740764885; x=1741369685; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=I40sF1i9jFqYAyQf3qwE84BFM4SpyXkD56Y42KHQEPA=; b=SksizvwqlRoRwCX8PRqUlKl/Jr52kAaUnd4MGP/w7BGs4m8lQmHKuGK5uSOIxKiBDt Km3u3BB5YeRhg9moub0Heiluehg0zMpJ+ct9nvV9WAfEhIGfB7qImF/VxJ/MOXI4NKdH NqLIvExsJl2DPNxjbnBsCDsPZMLPLA9jZRVKR8BcNphxGQll+EGy6SyViplkOT39SCRx lProSni4Ann0R46dgFijyVmegtEnS8Woy8LHsrJnedFNO15GEmImvdSHhhlWJsYw6Ft7 nD65hvCgwROd6UkNipzkN4Me/eijuQVrYcYPdhlXBxTOoDi5r4+Eff/MVUm3v4ojSmB9 JdHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740764885; x=1741369685; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I40sF1i9jFqYAyQf3qwE84BFM4SpyXkD56Y42KHQEPA=; b=gculOVGnuQxwWUYT7aIKn6aeOWAV0iBq/q9A6ea3C4DZZlnsA6lRHnfIjshKKvmX5p A0uQOSBjY3nXGvUgCxt9utEVp+0bMc/BV4VLFSPb4VbLXoT1LnEdX0CTpi58gmC4fc1i 8+u6ASw1nuTUXHFclSrEJxPj13DOZGhVmJ1Oc1oHA6lE0VmWudM0bmQfgdu8zbTXwbi5 XyOIJO1sk6knqgB0Fad4QRH3HbttHmG4Q5MHLr1xNNrz1UV1GFpWajF8QMIIICaTUEl3 eLtcJZuVkriLjmyuIiBMr6n3qWhit3rr4H0BAaMgQmSnVEtoQ8TgahGAKkJ/7B4GFPmX rHeg== X-Forwarded-Encrypted: i=1; AJvYcCWGkf0aKMpZQH+SMs0MF5tkfyf2cmZWWn0fz0LvtaIRBMOa8DZwcJDnHanehSBSWSi7dppzlDRnb91D@nongnu.org X-Gm-Message-State: AOJu0YxEUT9KWMYdQbXMEAHoxwM+aJ7oXJ4bs/mG3IOxnu/vmaV2tAKU fSTguHypetaodhaZACuk541JfRLe5eLDmKK0biT+/G7hPTmbjmrTAZS+hlh7hEA= X-Gm-Gg: ASbGncvZgAj/vDlEXxymRxahvc/tUy6cIXdoWJg9jeLyika1Cx4PLayMo5VH3Rg7vKX dmKLeN8ek0ijOgiOt12zaJFURB9TSfL8UVIxF2XkK5b/iVYRpBi6RFYayqJn3ar6Al4CU1d8GjW MwK2bkPvayIcgBx20gp9t+DAb9biLI9/WZ689YYeDX+i4AB7RY7FJOQI722EmTBbxUuDgZKTk49 NWjyM6F0mkz/1ePT0nQW05jpDxSwaB2aax1cVkPzJDdr2LhpCDL+qZqoLc/HnOpQT7jbhFVX0eK 4H/9XrDo0jQSa9ZwB7i7t5ady2xWUKeY X-Received: by 2002:a05:6000:1447:b0:390:e904:63de with SMTP id ffacd0b85a97d-390ec7cda50mr3633989f8f.20.1740764884491; Fri, 28 Feb 2025 09:48:04 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-390e4795da5sm5979556f8f.15.2025.02.28.09.48.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 09:48:03 -0800 (PST) From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Jason Wang Subject: [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows Date: Fri, 28 Feb 2025 17:47:58 +0000 Message-ID: <20250228174802.1945417-1-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::333; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x333.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org This patchset fixes some potential array overflows in the smc91c111 ethernet device model, including the one found in https://gitlab.com/qemu-project/qemu/-/issues/2742 There are two classes of bugs: * we accept packet numbers from the guest, but we were not validating that they were in range before using them as an index into the data[][] array * we didn't sanitize the length field read from the data frame on tx before using it as an index to find the control byte at the end of the frame, so we could read off the end of the buffer This patchset fixes both of these. The datasheet is sadly silent on the h/w behaviour for these errors, so I opted to LOG_GUEST_ERROR and silently ignore the invalid operations. Patch 3 tidies up the existing code to use a constant defined in patch 2; I put it last so we can cc the first two patches to stable without having to also backport that patch. thanks -- PMM Peter Maydell (3): hw/net/smc91c111: Sanitize packet numbers hw/net/smc91c111: Sanitize packet length on tx hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers hw/net/smc91c111.c | 87 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 79 insertions(+), 8 deletions(-)