From patchwork Tue Mar 11 19:51:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 872488 Delivered-To: patch@linaro.org Received: by 2002:a5d:64ce:0:b0:38f:210b:807b with SMTP id f14csp1659583wri; Tue, 11 Mar 2025 12:54:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUa838HjD4HkCu+HFGSdHrRG/1bBRl5qZ2NoaT4XqB5hKcxovrVdWYhmtfeNP/QYqW2uW/FCg==@linaro.org X-Google-Smtp-Source: AGHT+IGYw//MfNU0/pmv+vIVBVkvHO+gNxbrf+bg44h716mMD1JdOdCd8Y8+LZdNHm4tOq7d2jxz X-Received: by 2002:a05:620a:8810:b0:7c5:5d4b:e62a with SMTP id af79cd13be357-7c55e93bb5cmr975298785a.54.1741722878782; Tue, 11 Mar 2025 12:54:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1741722878; cv=none; d=google.com; s=arc-20240605; b=glvJyI20FyOpkytX+IMnXkLHmvaryRJZnSyIUWx5+sgsP1NC0MuBB86B0UVIuXJyAz 7qXmMiLmVfufqJHpkzqHYdIx4/ssIAYT4cuhe7pHXqyFd21vK/3JuyW8BGx39+ae6v+1 Cc02bQZfmb4zNDN8uS8q/GgiL84UCLJKuLZ+KMBFERND9BfQgu6NNHUpoj2sCn89OHZ/ McWdtXhwYi4ykVFfu45iV/CfsQHEr6uD7TUPIJr2JedJtAbKbysTZEg7GDlMUaWhdW4H EDeSLdbPl5ZRuzIjtsOHgD/IG6/tkd+jo9HORpjD4j7ZzYvZFNWuN2VXkN9WS6U49aRR IhZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=A64VE0HWwlabMJRt5vtnsFzNDdVP8Y0h5ubxHXceiq8=; fh=LrPQuEKVF+Dsx2F4DCB8BVVQW8BdXsyh1KCq0lVL1mo=; b=ASWr5ewu3rI5K+kzZn6JFmDjXM5Q+A01YdsXssyeTkC16oyi7lc4kh+ZL/nKX821ak ipbzl9fP9uNqwy6cOV/IP0MPQmXbqS8BmRs6Lx0wM+XOTYdg0h/dj57UmIm13xeghQkQ B308XNn/ypPWhSXgwt958WiWDMZgWjnaOOmEEC0xLMCSTt0rVB3aXybXd+/iFKWaJN2Z jPQqSkP2SOb13+fC2wJL9lqYOQOBk8PGBrvvexemzTn6EV/9lzSoc8x5sGHrye+XyXaW SNDHnWlFh1lNrc38v9F9geiQWxdCPy7BemWQPRvL5kUumuRBZsjC6BU2Y0nuUoHlNQoV YQbg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gPK5yOVQ; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id af79cd13be357-7c3e533c5c8si1198245885a.58.2025.03.11.12.54.38 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 11 Mar 2025 12:54:38 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gPK5yOVQ; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ts5dr-0006uQ-50; Tue, 11 Mar 2025 15:51:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ts5dj-0006tn-Nl for qemu-devel@nongnu.org; Tue, 11 Mar 2025 15:51:47 -0400 Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ts5dh-0007Rd-Pi for qemu-devel@nongnu.org; Tue, 11 Mar 2025 15:51:47 -0400 Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-43d098af0ebso951025e9.1 for ; Tue, 11 Mar 2025 12:51:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741722704; x=1742327504; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=A64VE0HWwlabMJRt5vtnsFzNDdVP8Y0h5ubxHXceiq8=; b=gPK5yOVQJ/SyRHdI9zw3/3FhHEWS4cMLvH8qAF8JJgWWlkPAv+DJkCalxWow/69JIR p4Azww/q97/ExqyJE9skDbXIhMOFS91RT8A2R029xfgJu0VpfL4OTp01JoIKKfav46Hc qk3Qtb04mN7e0YeNBiNfQSmRdGRItSRM6b9XB4M0LBtUy2O+ys/k8QfXONVrGp78dEmX MzIUViIuGCMPHbTMzNMDKpFvQCzHRsTLZCeqLjcjpHqhS7PfDF1cHj3eVtp/RIMXyidA FqzuU6+jHrCsFjHaLEtwS/L2l0M7MZH+8BJwMgbSNe++M0dCLyZsDvTQ1LDZTvI8euil FyvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741722704; x=1742327504; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A64VE0HWwlabMJRt5vtnsFzNDdVP8Y0h5ubxHXceiq8=; b=N/AGvTOB+v+tjN9B5utRE+luJysPpDT0HGZ98RVwCIi0mJd/PUplg0blf/wc45qzZa XkOsDGKY3HgJ/fHD2STFqBkDxXIpSKO9KFnY+o+BHtMzrSjnFDxw/YQWS7Zl/hBbcwaN Z6iAoOMotToknGcUA8o2QCyR33IVoeuJ/JJJ3SIzJTP3f6YD1Y22CggqSg7lxVKCD7j3 9LuIGV1OCYet9ILaT7amaB50mr+l+2Z5trmPEvpdUff2RIHY390NPv+zlyg3fBZyZxTg RAvg3rfCZ+apN3O+8urwjMAlXvLHfKYseD9LkyypXx+xAnvAAMZg3/Hd+35hBLi20tKP Aplg== X-Gm-Message-State: AOJu0YxxZCNvzoJYvTZi+aJHg6brxvGh9aV0GrsBEPPsUI6TNiqonQMh llvsh3al8z9uTnSR2DdvoZjXlVnx9Phtp1AJZeWEkIeU1dc/QFiODj77etKGgZWDzJfFHqC7SNJ 1JLw= X-Gm-Gg: ASbGnctryKRqdNo+j7+FjuT4YIzBhAcqTGIGEB8KVfuxFYv5uPCbELI3dd01K5TSaie g62fmk20xx/1NT1kDdPzEVBgjI7M68M+NzbPSWMFOyPuFI6bsxYTA1FeAOvvWV7EDDBUO9f6a6Y b4Mmmih5d+iQNn9w33xrAdol6Zzw6e8tzWa4escb4zlfoPwE+07oJyYD/Wb97Mooc4LvhT4t3I8 WwCbUDo8a/6cACzxKyGdZwo7yGQ+3D6ZGQFEdEFEbGExvppL0KYIZKGb1ijb3poM45zCssPFhtA vMLCmHc+/jl9pEA9RIfEWt5RC0SFB3oXt/jNWMxrycOWzOwngFuTbzf32OERyRv8M87eDw6CdxW 6gCq/vRqEOBAdbIlOdZ0= X-Received: by 2002:a05:600c:474c:b0:43d:209:21fd with SMTP id 5b1f17b1804b1-43d02092256mr60336695e9.30.1741722703772; Tue, 11 Mar 2025 12:51:43 -0700 (PDT) Received: from localhost.localdomain (88-187-86-199.subs.proxad.net. [88.187.86.199]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912bfb7934sm19264407f8f.12.2025.03.11.12.51.42 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 11 Mar 2025 12:51:43 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Peter Maydell , qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [PULL 04/14] hw/net/smc91c111: Sanitize packet length on tx Date: Tue, 11 Mar 2025 20:51:13 +0100 Message-ID: <20250311195123.94212-5-philmd@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250311195123.94212-1-philmd@linaro.org> References: <20250311195123.94212-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::336; envelope-from=philmd@linaro.org; helo=mail-wm1-x336.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell When the smc91c111 transmits a packet, it must read a control byte which is at the end of the data area and CRC. However, we don't sanitize the length field in the packet buffer, so if the guest sets the length field to something large we will try to read past the end of the packet data buffer when we access the control byte. As usual, the datasheet says nothing about the behaviour of the hardware if the guest misprograms it in this way. It says only that the maximum valid length is 2048 bytes. We choose to log the guest error and silently drop the packet. This requires us to factor out the "mark the tx packet as complete" logic, so we can call it for this "drop packet" case as well as at the end of the loop when we send a valid packet. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2742 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250228174802.1945417-3-peter.maydell@linaro.org> [PMD: Update smc91c111_do_tx() as len > MAX_PACKET_SIZE] Signed-off-by: Philippe Mathieu-Daudé --- hw/net/smc91c111.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index 2295c6acf25..72ce5d8f4de 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -22,6 +22,13 @@ /* Number of 2k memory pages available. */ #define NUM_PACKETS 4 +/* + * Maximum size of a data frame, including the leading status word + * and byte count fields and the trailing CRC, last data byte + * and control byte (per figure 8-1 in the Microchip Technology + * LAN91C111 datasheet). + */ +#define MAX_PACKET_SIZE 2048 #define TYPE_SMC91C111 "smc91c111" OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111) @@ -240,6 +247,16 @@ static void smc91c111_release_packet(smc91c111_state *s, int packet) smc91c111_flush_queued_packets(s); } +static void smc91c111_complete_tx_packet(smc91c111_state *s, int packetnum) +{ + if (s->ctr & CTR_AUTO_RELEASE) { + /* Race? */ + smc91c111_release_packet(s, packetnum); + } else if (s->tx_fifo_done_len < NUM_PACKETS) { + s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; + } +} + /* Flush the TX FIFO. */ static void smc91c111_do_tx(smc91c111_state *s) { @@ -263,6 +280,17 @@ static void smc91c111_do_tx(smc91c111_state *s) *(p++) = 0x40; len = *(p++); len |= ((int)*(p++)) << 8; + if (len > MAX_PACKET_SIZE) { + /* + * Datasheet doesn't say what to do here, and there is no + * relevant tx error condition listed. Log, and drop the packet. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "smc91c111: tx packet with bad length %d, dropping\n", + len); + smc91c111_complete_tx_packet(s, packetnum); + continue; + } len -= 6; control = p[len + 1]; if (control & 0x20) @@ -291,11 +319,7 @@ static void smc91c111_do_tx(smc91c111_state *s) } } #endif - if (s->ctr & CTR_AUTO_RELEASE) - /* Race? */ - smc91c111_release_packet(s, packetnum); - else if (s->tx_fifo_done_len < NUM_PACKETS) - s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; + smc91c111_complete_tx_packet(s, packetnum); qemu_send_packet(qemu_get_queue(s->nic), p, len); } s->tx_fifo_len = 0;