From patchwork Tue Apr 1 22:14:55 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 27581 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pd0-f197.google.com (mail-pd0-f197.google.com [209.85.192.197]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 17EA820341 for ; Tue, 1 Apr 2014 22:15:02 +0000 (UTC) Received: by mail-pd0-f197.google.com with SMTP id fp1sf26384770pdb.8 for ; Tue, 01 Apr 2014 15:15:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe; bh=2XB7pB6iPBqLS6TUAUKDshgv4rjOGutVG52vyh+W+0c=; b=aq2fv867E1kcSwvuv+wh15ayolX18Y6BWaF4WGS/HNxwPW8F4Y2Ug7YcHIDnpz2HOG u4SPEiqevssadMjBUWFwoR0+mtKPZk9DjhzLF7pGei8sPVcCR8jbxjQxHg3hB8ZCVCxp Uds467tzrBB+Ps3PGUFiATOEExeBAOXecJRM5gNSyym5C4WOs3hZNC+Sp/BuCsmSsyxj 5pljefFCzsOusFMG6MVOpCORTi2nEZxNjt2inyEIJdlNQVr+YhlvVRCIgnyJE40ZUPxQ yZnwdlNXwzz2EEdaoDxd/MM5hHWUoQv59VxrOqR6DDbcxSm7yDm/Zb0zhu/41hYoUmh5 VqmQ== X-Gm-Message-State: ALoCoQnH738M6qGgAoiLLTiwOziLcuKNmQmxdL3QDrcxuMSXA2mKzRxXreGDPI/rnvaRECcjeILo X-Received: by 10.66.141.231 with SMTP id rr7mr7578739pab.47.1396390501636; Tue, 01 Apr 2014 15:15:01 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.27.138 with SMTP id 10ls146460qgx.52.gmail; Tue, 01 Apr 2014 15:15:01 -0700 (PDT) X-Received: by 10.52.128.231 with SMTP id nr7mr26039105vdb.17.1396390501528; Tue, 01 Apr 2014 15:15:01 -0700 (PDT) Received: from mail-vc0-f175.google.com (mail-vc0-f175.google.com [209.85.220.175]) by mx.google.com with ESMTPS id sy7si4001306vdc.136.2014.04.01.15.15.01 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 01 Apr 2014 15:15:01 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.220.175 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.220.175; Received: by mail-vc0-f175.google.com with SMTP id lh14so10516569vcb.20 for ; Tue, 01 Apr 2014 15:15:01 -0700 (PDT) X-Received: by 10.52.120.6 with SMTP id ky6mr3026522vdb.38.1396390501207; Tue, 01 Apr 2014 15:15:01 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.12.8 with SMTP id v8csp273745vcv; Tue, 1 Apr 2014 15:15:00 -0700 (PDT) X-Received: by 10.204.199.79 with SMTP id er15mr26394269bkb.23.1396390498914; Tue, 01 Apr 2014 15:14:58 -0700 (PDT) Received: from mnementh.archaic.org.uk (mnementh.archaic.org.uk. [2001:8b0:1d0::1]) by mx.google.com with ESMTPS id nl1si131238bkb.100.2014.04.01.15.14.58 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 01 Apr 2014 15:14:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::1 as permitted sender) client-ip=2001:8b0:1d0::1; Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80) (envelope-from ) id 1WV6xM-0002Ka-1I; Tue, 01 Apr 2014 23:14:56 +0100 From: Peter Maydell To: qemu-devel@nongnu.org Cc: patches@linaro.org, "Michael S. Tsirkin" , "Dr. David Alan Gilbert" Subject: [PATCH v2 7/7] hw/net/stellaris_enet: Convert to vmstate Date: Tue, 1 Apr 2014 23:14:55 +0100 Message-Id: <1396390495-8908-8-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1396390495-8908-1-git-send-email-peter.maydell@linaro.org> References: <1396390495-8908-1-git-send-email-peter.maydell@linaro.org> X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: peter.maydell@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.220.175 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , Convert this device to use vmstate for its save/load, including providing a post_load function that sanitizes inbound data to avoid possible buffer overflows if it is malicious. Signed-off-by: Peter Maydell --- hw/net/stellaris_enet.c | 147 ++++++++++++++++++++++++++---------------------- 1 file changed, 79 insertions(+), 68 deletions(-) diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c index af1c3ef..b8cbf82 100644 --- a/hw/net/stellaris_enet.c +++ b/hw/net/stellaris_enet.c @@ -47,6 +47,11 @@ do { fprintf(stderr, "stellaris_enet: error: " fmt , ## __VA_ARGS__);} while (0) OBJECT_CHECK(stellaris_enet_state, (obj), TYPE_STELLARIS_ENET) typedef struct { + uint8_t data[2048]; + int32_t len; +} StellarisEnetRxFrame; + +typedef struct { SysBusDevice parent_obj; uint32_t ris; @@ -59,22 +64,88 @@ typedef struct { uint32_t mtxd; uint32_t mrxd; uint32_t np; - int tx_fifo_len; + int32_t tx_fifo_len; uint8_t tx_fifo[2048]; /* Real hardware has a 2k fifo, which works out to be at most 31 packets. We implement a full 31 packet fifo. */ - struct { - uint8_t data[2048]; - int len; - } rx[31]; - int rx_fifo_offset; - int next_packet; + StellarisEnetRxFrame rx[31]; + int32_t rx_fifo_offset; + int32_t next_packet; NICState *nic; NICConf conf; qemu_irq irq; MemoryRegion mmio; } stellaris_enet_state; +static const VMStateDescription vmstate_rx_frame = { + .name = "stellaris_enet/rx_frame", + .version_id = 1, + .minimum_version_id = 1, + .minimum_version_id_old = 1, + .fields = (VMStateField[]) { + VMSTATE_UINT8_ARRAY(data, StellarisEnetRxFrame, 2048), + VMSTATE_INT32(len, StellarisEnetRxFrame), + VMSTATE_END_OF_LIST() + } +}; + +static int stellaris_enet_post_load(void *opaque, int version_id) +{ + stellaris_enet_state *s = opaque; + int i; + + /* Sanitize inbound state. Note that next_packet is an index but + * np is a size; hence their valid upper bounds differ. + */ + if (s->next_packet < 0 || s->next_packet >= ARRAY_SIZE(s->rx)) { + return -1; + } + + if (s->np > ARRAY_SIZE(s->rx)) { + return -1; + } + + for (i = 0; i < ARRAY_SIZE(s->rx); i++) { + if (s->rx[i].len < 0 || s->rx[i].len > ARRAY_SIZE(s->rx[i].data)) { + return -1; + } + } + + if (s->rx_fifo_offset < 0 || + s->rx_fifo_offset + 4 > ARRAY_SIZE(s->rx[0].data)) { + return -1; + } + + return 0; +} + +static const VMStateDescription vmstate_stellaris_enet = { + .name = "stellaris_enet", + .version_id = 4, + .minimum_version_id = 4, + .minimum_version_id_old = 4, + .post_load = stellaris_enet_post_load, + .fields = (VMStateField[]) { + VMSTATE_UINT32(ris, stellaris_enet_state), + VMSTATE_UINT32(im, stellaris_enet_state), + VMSTATE_UINT32(rctl, stellaris_enet_state), + VMSTATE_UINT32(tctl, stellaris_enet_state), + VMSTATE_UINT32(thr, stellaris_enet_state), + VMSTATE_UINT32(mctl, stellaris_enet_state), + VMSTATE_UINT32(mdv, stellaris_enet_state), + VMSTATE_UINT32(mtxd, stellaris_enet_state), + VMSTATE_UINT32(mrxd, stellaris_enet_state), + VMSTATE_UINT32(np, stellaris_enet_state), + VMSTATE_INT32(tx_fifo_len, stellaris_enet_state), + VMSTATE_UINT8_ARRAY(tx_fifo, stellaris_enet_state, 2048), + VMSTATE_STRUCT_ARRAY(rx, stellaris_enet_state, 31, 1, + vmstate_rx_frame, StellarisEnetRxFrame), + VMSTATE_INT32(next_packet, stellaris_enet_state), + VMSTATE_INT32(rx_fifo_offset, stellaris_enet_state), + VMSTATE_END_OF_LIST() + } +}; + static void stellaris_enet_update(stellaris_enet_state *s) { qemu_set_irq(s->irq, (s->ris & s->im) != 0); @@ -379,63 +450,6 @@ static void stellaris_enet_reset(stellaris_enet_state *s) s->tx_fifo_len = 0; } -static void stellaris_enet_save(QEMUFile *f, void *opaque) -{ - stellaris_enet_state *s = (stellaris_enet_state *)opaque; - int i; - - qemu_put_be32(f, s->ris); - qemu_put_be32(f, s->im); - qemu_put_be32(f, s->rctl); - qemu_put_be32(f, s->tctl); - qemu_put_be32(f, s->thr); - qemu_put_be32(f, s->mctl); - qemu_put_be32(f, s->mdv); - qemu_put_be32(f, s->mtxd); - qemu_put_be32(f, s->mrxd); - qemu_put_be32(f, s->np); - qemu_put_be32(f, s->tx_fifo_len); - qemu_put_buffer(f, s->tx_fifo, sizeof(s->tx_fifo)); - for (i = 0; i < 31; i++) { - qemu_put_be32(f, s->rx[i].len); - qemu_put_buffer(f, s->rx[i].data, sizeof(s->rx[i].data)); - - } - qemu_put_be32(f, s->next_packet); - qemu_put_be32(f, s->rx_fifo_offset); -} - -static int stellaris_enet_load(QEMUFile *f, void *opaque, int version_id) -{ - stellaris_enet_state *s = (stellaris_enet_state *)opaque; - int i; - - if (version_id != 1) - return -EINVAL; - - s->ris = qemu_get_be32(f); - s->im = qemu_get_be32(f); - s->rctl = qemu_get_be32(f); - s->tctl = qemu_get_be32(f); - s->thr = qemu_get_be32(f); - s->mctl = qemu_get_be32(f); - s->mdv = qemu_get_be32(f); - s->mtxd = qemu_get_be32(f); - s->mrxd = qemu_get_be32(f); - s->np = qemu_get_be32(f); - s->tx_fifo_len = qemu_get_be32(f); - qemu_get_buffer(f, s->tx_fifo, sizeof(s->tx_fifo)); - for (i = 0; i < 31; i++) { - s->rx[i].len = qemu_get_be32(f); - qemu_get_buffer(f, s->rx[i].data, sizeof(s->rx[i].data)); - - } - s->next_packet = qemu_get_be32(f); - s->rx_fifo_offset = qemu_get_be32(f); - - return 0; -} - static void stellaris_enet_cleanup(NetClientState *nc) { stellaris_enet_state *s = qemu_get_nic_opaque(nc); @@ -467,8 +481,6 @@ static int stellaris_enet_init(SysBusDevice *sbd) qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a); stellaris_enet_reset(s); - register_savevm(dev, "stellaris_enet", -1, 3, - stellaris_enet_save, stellaris_enet_load, s); return 0; } @@ -476,8 +488,6 @@ static void stellaris_enet_unrealize(DeviceState *dev, Error **errp) { stellaris_enet_state *s = STELLARIS_ENET(dev); - unregister_savevm(DEVICE(s), "stellaris_enet", s); - memory_region_destroy(&s->mmio); } @@ -494,6 +504,7 @@ static void stellaris_enet_class_init(ObjectClass *klass, void *data) k->init = stellaris_enet_init; dc->unrealize = stellaris_enet_unrealize; dc->props = stellaris_enet_properties; + dc->vmsd = &vmstate_stellaris_enet; } static const TypeInfo stellaris_enet_info = {