From patchwork Thu Jan 5 16:44:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 639282 Delivered-To: patch@linaro.org Received: by 2002:a17:522:f3c4:b0:4b4:3859:abed with SMTP id in4csp324915pvb; Thu, 5 Jan 2023 08:55:31 -0800 (PST) X-Google-Smtp-Source: AMrXdXuQ3LJnHt+cEX9c9ZUY5Ni5p/tJMVO2jeKiBuLkbmLU7fphy30ba59f1B3NHZf9YiOsS0Ta X-Received: by 2002:a05:6102:94b:b0:3bf:2045:e526 with SMTP id a11-20020a056102094b00b003bf2045e526mr24616185vsi.1.1672937731012; Thu, 05 Jan 2023 08:55:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672937730; cv=none; d=google.com; s=arc-20160816; b=Ilx5khTfmjbInmfG14+tT1pi+5AgO7hF/Za1tDfDdwHvBIZn/iFP6PKA6XmNhNQgNs dWvPEyGuBD++U6RfIT8p8vrT1lPOMyJP7Ji7FhkDaz39xmsDm2cvHb8TGT+W8iy4t5lA TXeWD5mfR5PPDt/L6pzLApkxggjW9v14msSoI5QyvDax1oQ9hO78BO1tpM62QqYEzg1L 2NS0zUzj8ckh0qBDJg5SEvigSH5lQmKgDUboBFV2y6S30HEUCmToXdRd60I7fSQ49EfD +Zi2wtzjq6QNUSBudzyalbHEFiAWNezotRn2MyodcT4rUHmgQura3fPvntkLE7pOxbIF ATfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=33dG/KwajZrq9i+KPj0Q5eXpSM4wjc/WwsMuu9dKq4E=; b=P7WZmIWOIGslO7dqVm2cxPRPvCUjaauWAlPU9fm7sFEHKxjWkCDsUnhx6bJhivQERS CpwG0JPxXjk3bMYUz14aWVNBx/RlklfqF2gcxFYieqm5L4LCQWTyvi78CIsYPu1sY/ch hdHuWoT/ygCzR7nPF4eWljC+7EvuSXAtOyUHFA+e/oInkSSu8PQQDhs0E51RX4H7cjb/ fGrGib46wviywxqFOW+IQqgs+xvWhbUmMQMPtdcmAj0AzDPEZjT6b70cwgaVbvi1c1JY 2AXP/yD35m8V0d0SK86WjYtbIDHFRMVQ0PqRRcMPTirm9plZAkh/gF6DI3J00Zmpw4zN 47xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=VKNL61Cw; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id w24-20020a05620a095800b006fbdb69389asi18387397qkw.121.2023.01.05.08.55.30 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 05 Jan 2023 08:55:30 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=VKNL61Cw; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pDTMh-0001Rs-Vu; Thu, 05 Jan 2023 11:45:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pDTMJ-0000pA-Ol for qemu-devel@nongnu.org; Thu, 05 Jan 2023 11:44:52 -0500 Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pDTMH-0007Mj-OG for qemu-devel@nongnu.org; Thu, 05 Jan 2023 11:44:51 -0500 Received: by mail-wm1-x335.google.com with SMTP id g10so14661594wmo.1 for ; Thu, 05 Jan 2023 08:44:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=33dG/KwajZrq9i+KPj0Q5eXpSM4wjc/WwsMuu9dKq4E=; b=VKNL61CwUWs3h9VqU/Dbd+x5sXmEWRnn7PJwWPHV4Z+Osgkau1oJBvTE5g7g0ZHIuO oXMCrmRImNZfmBh4Z5+ESDUKldnMmRg7MRgzUavAYoGovksBQlnuhE0jcBcmtO/kDrzP xdGw2+Jyd/xrt9yW3noSI4j+yvIJVL3Co4DvaoKVOxcgvVvXHT7togHQymyYVZE3LyPC 5crSx+1Vj7xvZLHH92Mrycg6liUPRS7BcEK9Q7Ezow0BsXSxi0/OPK0jX/QQEDhmzZcf 6QCtAQmAA8qbC74O6mXWn/2P9OsFSh6XuBZZL8Kc2/Po+wwvgHZTk7P/v2iRns5THcaY NSWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=33dG/KwajZrq9i+KPj0Q5eXpSM4wjc/WwsMuu9dKq4E=; b=f0JWadfNPN+1rET+9HXMOxV60ZGFFDzF7oRzfyKghNfPFUrOplLf0D0+T1h2uT4EEF mrpWe+6pzZRjrn5MCV/jLdd3DWAbsm4nWDR/xtoQvkZWzUpU/Ih1BidXm31quZTMhMqP OuWrFO0obJ0B9/YDegyC479xBO8EgBx/vi2uynaLNg5Q21uOXPeBUuuxH2P8Pt5DpYOx lWf/+5NFfsgugrZ1tK9V1KdSn53wfsuJ0y27DLBwroFIQPkOgWNXDVXCtECBHJ9dVumq yCs/neqWkwcWx+HvKjqMRAiq89DN+0oPf29NHJb6bFXTlAHptJRTpXxw+wOrUaR74dUy YztA== X-Gm-Message-State: AFqh2kqxz2zqIMtJRzcCkCpAd7jenQ+TKMS1w11flve0B4hjLE/9AU2H C3gRO5EWtOr52eATnofeWxgRDFnbO9P4M01T X-Received: by 2002:a05:600c:3d0e:b0:3d3:4aa6:4fd0 with SMTP id bh14-20020a05600c3d0e00b003d34aa64fd0mr36932398wmb.6.1672937087484; Thu, 05 Jan 2023 08:44:47 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id hg9-20020a05600c538900b003cf71b1f66csm3055547wmb.0.2023.01.05.08.44.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Jan 2023 08:44:47 -0800 (PST) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 34/34] hw/net: Fix read of uninitialized memory in imx_fec. Date: Thu, 5 Jan 2023 16:44:17 +0000 Message-Id: <20230105164417.3994639-35-peter.maydell@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230105164417.3994639-1-peter.maydell@linaro.org> References: <20230105164417.3994639-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::335; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x335.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Stephen Longfield Size is used at lines 1088/1188 for the loop, which reads the last 4 bytes from the crc_ptr so it does need to get increased, however it shouldn't be increased before the buffer is passed to CRC computation, or the crc32 function will access uninitialized memory. This was pointed out to me by clg@kaod.org during the code review of a similar patch to hw/net/ftgmac100.c Change-Id: Ib0464303b191af1e28abeb2f5105eb25aadb5e9b Signed-off-by: Stephen Longfield Reviewed-by: Patrick Venture Message-id: 20221221183202.3788132-1-slongfield@google.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/net/imx_fec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c index 8c11b237de7..c862d965930 100644 --- a/hw/net/imx_fec.c +++ b/hw/net/imx_fec.c @@ -1068,9 +1068,9 @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf, return 0; } - /* 4 bytes for the CRC. */ - size += 4; crc = cpu_to_be32(crc32(~0, buf, size)); + /* Increase size by 4, loop below reads the last 4 bytes from crc_ptr. */ + size += 4; crc_ptr = (uint8_t *) &crc; /* Huge frames are truncated. */ @@ -1164,9 +1164,9 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, return 0; } - /* 4 bytes for the CRC. */ - size += 4; crc = cpu_to_be32(crc32(~0, buf, size)); + /* Increase size by 4, loop below reads the last 4 bytes from crc_ptr. */ + size += 4; crc_ptr = (uint8_t *) &crc; if (shift16) {