From patchwork Mon Sep 18 08:31:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 724142 Delivered-To: patch@linaro.org Received: by 2002:adf:f0d1:0:b0:31d:da82:a3b4 with SMTP id x17csp1567545wro; Mon, 18 Sep 2023 01:34:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IESmJn3esM3TCHJo57/QR0xgc8eAtgH0YBvOB+iNgaTFIg4dHSy5IUbECaSnk36b4sP4u6y X-Received: by 2002:ac8:7ed9:0:b0:417:b084:73c5 with SMTP id x25-20020ac87ed9000000b00417b08473c5mr3084087qtj.38.1695026067638; Mon, 18 Sep 2023 01:34:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695026067; cv=none; d=google.com; s=arc-20160816; b=or4agG4KkH+9/0XkJR0ORP3RyU9orFFHRJP9q85Yp2S1byml/ObhY7EDLwaQcjZ8wY wOPC5X4TdfXaeGQNT9Nkp+QgQjsGyqc34oOpgpJyBbCGq2q7TeGXc/S2f+2j18ea+c1w yzs2xnfcEyXEVcrISdbs6gZxAT6VnY5pehrystn9+0uxUSGd/vMNLGWB2rQBBMl10epX OBK53eq25WLG3FGhDkdIawTntoQRmJ3qAcLJPgRMORsEjWfCKA1VLqp3gUZ78YS8SDMK dJ1KpaCN2FnW427KjSSJvpZLZOXaN89ckKU6tsrmAW6Xk42uZT7pmZFt3gDX9QNAJCDF /BDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tItjSfjaltQDyQlhWPGqxzpHeb/IH3Sy23ZEmmsHsDY=; fh=2dsPVcdq1+AeiVBjB6cVpA5z81CBJx9xrUS9CD3nLc8=; b=qLv0ltvpyrmVefBjleryYmQrO72tNrP8SBeeNP538NAgYSIy8piwlPAfj4xayhyh4d 7J+BVHKdktKQXwcHtiAmzn9LMZcu9u+ALpFXIco1xtKLPYfXMbrrb6YFPxoow7ncfa6Q MX1Cm3sjbPfyb/VW0DJmXZ53DeFZP556yGNj1AamSA4dbqx7wZheLB/9w5a6xbWe6pbz /+/gmvHgAC7RGcNmhbS/GwaWcv0TK1Jjl6uxXL8V+NjgOrZabqg8emXL1itAliVJYV8k 7CNlcwocHXy/MgoN5f7299EatO5PfNENFi0SLJrPXK/47z4sXs0E7a1vZby3m/RtZ0Km /+0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CiZMeshz; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id i21-20020ac85c15000000b00403a8dc3c5esi5803773qti.390.2023.09.18.01.34.27 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Sep 2023 01:34:27 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CiZMeshz; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qi9gc-0006mL-F6; Mon, 18 Sep 2023 04:32:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9gB-00069a-Cj for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:33 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9g7-0004EF-J7 for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695025942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tItjSfjaltQDyQlhWPGqxzpHeb/IH3Sy23ZEmmsHsDY=; b=CiZMeshzo9D6bQJn7cJNj+xdGxSBD5mtev72bh8+O6DzLDTw0FTfRshSuij/4iRhFGbR5h 6qvYVL3yfczQJ9yvHbfmJAqwmsQiAdlu1DcOjqksmEiRQDKkLdZPulhk9m0ouR0x56p+Lc s/1UnzHiJymtJdd54c1aBeyatoeETVI= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-191-XhcJQLWANeSTmdjtQEFLqA-1; Mon, 18 Sep 2023 04:32:17 -0400 X-MC-Unique: XhcJQLWANeSTmdjtQEFLqA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 32083811E86; Mon, 18 Sep 2023 08:32:17 +0000 (UTC) Received: from localhost.localdomain (unknown [10.72.113.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 24A102156701; Mon, 18 Sep 2023 08:32:14 +0000 (UTC) From: Jason Wang To: qemu-devel@nongnu.org Cc: Peter Maydell , =?utf-8?q?Philippe_Mathieu-Dau?= =?utf-8?q?d=C3=A9?= , Jason Wang Subject: [PULL V2 14/17] hw/net/fsl_etsec/rings.c: Avoid variable length array Date: Mon, 18 Sep 2023 16:31:29 +0800 Message-Id: <20230918083132.55423-15-jasowang@redhat.com> In-Reply-To: <20230918083132.55423-1-jasowang@redhat.com> References: <20230918083132.55423-1-jasowang@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 Received-SPF: pass client-ip=170.10.129.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell In fill_rx_bd() we create a variable length array of size etsec->rx_padding. In fact we know that this will never be larger than 64 bytes, because rx_padding is set in rx_init_frame() in a way that ensures it is only that large. Use a fixed sized array and assert that it is big enough. Since padd[] is now potentially rather larger than the actual padding required, adjust the memset() we do on it to match the size that we write with cpu_physical_memory_write(), rather than clearing the entire array. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- hw/net/fsl_etsec/rings.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c index 788463f..2f2f359 100644 --- a/hw/net/fsl_etsec/rings.c +++ b/hw/net/fsl_etsec/rings.c @@ -372,6 +372,12 @@ void etsec_walk_tx_ring(eTSEC *etsec, int ring_nbr) etsec->regs[TSTAT].value |= 1 << (31 - ring_nbr); } +/* + * rx_init_frame() ensures we never do more padding than this + * (checksum plus minimum data packet size) + */ +#define MAX_RX_PADDING 64 + static void fill_rx_bd(eTSEC *etsec, eTSEC_rxtx_bd *bd, const uint8_t **buf, @@ -380,9 +386,11 @@ static void fill_rx_bd(eTSEC *etsec, uint16_t to_write; hwaddr bufptr = bd->bufptr + ((hwaddr)(etsec->regs[TBDBPH].value & 0xF) << 32); - uint8_t padd[etsec->rx_padding]; + uint8_t padd[MAX_RX_PADDING]; uint8_t rem; + assert(etsec->rx_padding <= MAX_RX_PADDING); + RING_DEBUG("eTSEC fill Rx buffer @ 0x%016" HWADDR_PRIx " size:%zu(padding + crc:%u) + fcb:%u\n", bufptr, *size, etsec->rx_padding, etsec->rx_fcb_size); @@ -426,7 +434,7 @@ static void fill_rx_bd(eTSEC *etsec, rem = MIN(etsec->regs[MRBLR].value - bd->length, etsec->rx_padding); if (rem > 0) { - memset(padd, 0x0, sizeof(padd)); + memset(padd, 0x0, rem); etsec->rx_padding -= rem; *size -= rem; bd->length += rem; From patchwork Mon Sep 18 08:31:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 724141 Delivered-To: patch@linaro.org Received: by 2002:adf:f0d1:0:b0:31d:da82:a3b4 with SMTP id x17csp1567510wro; Mon, 18 Sep 2023 01:34:21 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGOcri8BHBQXonuhUfcZSE2UYtwPFatuTeSWU8AalYzGyp+bJyc04TO9e1MLkKOqcitBzyJ X-Received: by 2002:a05:620a:132f:b0:76c:b0f3:d3f1 with SMTP id p15-20020a05620a132f00b0076cb0f3d3f1mr8222578qkj.64.1695026061118; Mon, 18 Sep 2023 01:34:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695026061; cv=none; d=google.com; s=arc-20160816; b=UuSoLHAepeNzWIkxM2OfljqNhIft4RnRhVWHSTAx94MTSvpjkJxERYe8PJlcfVgj2A uMQJl8Vrd6yy4vcfCUkaA2ZVZP/4VRrhNDYa4GHfXia20cFHwfHOfNKk4168bdIuI6oY BGwrk/dx5Q7iBpD568RnBgxh5WX5YRCmYpHQKMD/TP1U6nRG90yHGjlItQGpQGUbbEC6 aqmCaudTjE8V/enxFjQ+foJ6z6DrcL9+WpUkm2kK8KzRtzUmhrL65JdgekuS2tme+l8B rIsduOC8Gd8MQpyI/P5oOwn+DDfW5jU739zv5om1iZYhnn0kO2GQS87TbY1D4Tvuhavf HkyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mpfkHZQ8To5Z9cDg2CPd2qbNj4EPmVwpb4HomuZAUH8=; fh=CcfUJIEGTKlQtMotVTkpLKXHwfc5lKuuOSMS/xfxjyQ=; b=g/EqNNMW7Ya5o3z3Who3W0quiyBqER2TIHt22c6GCHjpzfl1AaA7FducsDVsSsTmPH CmTrz9D9yv1ZVBzO+WtVBtI6v/ZQtu21tOdt1DIC3HSq/4gu4IBAcok7GCwxBFAyWBeK AVn6tnP7TeVmnCXXVnQFj7IwGBv69k5cFPE6d2ocCa0bR/d4VQsr45MxWMDe57f2NykW v7rCENYpC/1EpU1cxWjEl4Y5F0cHOBqd6bR9+ZjT0HwBDyn/uAYxq06VorT7O/zgCGFf X9rwOfNQf2+Hj7bLD6YUcZXiwhYpgnUKRE64XmkG1NwHmdQ7Bh/8gnHQ0BBKpVt1FNOM ZgwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=g2GSlE+T; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id y17-20020a05622a121100b004122ed9aa29si5628085qtx.730.2023.09.18.01.34.20 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Sep 2023 01:34:21 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=g2GSlE+T; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qi9hQ-0008E6-4q; Mon, 18 Sep 2023 04:33:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9gC-0006Dc-Kv for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:34 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9g9-0004EM-QM for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695025944; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mpfkHZQ8To5Z9cDg2CPd2qbNj4EPmVwpb4HomuZAUH8=; b=g2GSlE+TtHbA4LwsYDTNEn9cm374yTqqV06BJuKJbDBkOnENKIyqgRz5pouuQZhB+xF6DH x+k7dtiwNn5EzqiH6bxorI/ZtTnql2sVpiUNtcftdEBUaqOlQEQFBIs0wPE2PAwFZfOLUm 4DFXYf8ScPf9MOZcwjqtRQ169Lvp0So= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-295-QrB7RK1yNdyCn1H5Pfk5og-1; Mon, 18 Sep 2023 04:32:20 -0400 X-MC-Unique: QrB7RK1yNdyCn1H5Pfk5og-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2F0D2185A78E; Mon, 18 Sep 2023 08:32:20 +0000 (UTC) Received: from localhost.localdomain (unknown [10.72.113.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id C6FFF2156701; Mon, 18 Sep 2023 08:32:17 +0000 (UTC) From: Jason Wang To: qemu-devel@nongnu.org Cc: Peter Maydell , Francisco Iglesias , Jason Wang Subject: [PULL V2 15/17] hw/net/rocker: Avoid variable length array Date: Mon, 18 Sep 2023 16:31:30 +0800 Message-Id: <20230918083132.55423-16-jasowang@redhat.com> In-Reply-To: <20230918083132.55423-1-jasowang@redhat.com> References: <20230918083132.55423-1-jasowang@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 Received-SPF: pass client-ip=170.10.129.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell Replace an on-stack variable length array in of_dpa_ig() with a g_autofree heap allocation. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Francisco Iglesias Signed-off-by: Jason Wang --- hw/net/rocker/rocker_of_dpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c index dfe4754..5e16056 100644 --- a/hw/net/rocker/rocker_of_dpa.c +++ b/hw/net/rocker/rocker_of_dpa.c @@ -1043,7 +1043,7 @@ static void of_dpa_flow_ig_tbl(OfDpaFlowContext *fc, uint32_t tbl_id) static ssize_t of_dpa_ig(World *world, uint32_t pport, const struct iovec *iov, int iovcnt) { - struct iovec iov_copy[iovcnt + 2]; + g_autofree struct iovec *iov_copy = g_new(struct iovec, iovcnt + 2); OfDpaFlowContext fc = { .of_dpa = world_private(world), .in_pport = pport, From patchwork Mon Sep 18 08:31:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 724143 Delivered-To: patch@linaro.org Received: by 2002:adf:f0d1:0:b0:31d:da82:a3b4 with SMTP id x17csp1567550wro; Mon, 18 Sep 2023 01:34:28 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG5U8fNTpaGH1dkSrjNERzcLBCPMH8pSRUB4cNsXmB0eqZwlpJ2jnD/uqNbuTOWTxSLTgzm X-Received: by 2002:a05:622a:1b91:b0:403:b23f:9e16 with SMTP id bp17-20020a05622a1b9100b00403b23f9e16mr14744466qtb.2.1695026068095; Mon, 18 Sep 2023 01:34:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695026068; cv=none; d=google.com; s=arc-20160816; b=naL4vIP8AUncoYO9yrSOhU2PwbluaBW3B8iqdgQ/mB9vEHc9QhymTgpf+lfRP7nyh1 6QATzxENimTytkQzQ9RP4X/Wth9Ct8p7xxWahTCMWXPgRgw0C4I0WrTtGUwza116qzP6 nub+Xxpvm6dKfNLw+I3h/V5wTjEM2JR10m8m7GQTUUACdTrjd9YIgnUH/2naUoy4N3T9 B/9waS6ZTOjzg/ZTYBvDCUFt8bpB+qsMLbYaxUaKpKSTlAzJFVcKxXiRxjhLEkTfBizH wkoy4XFOuN5moAgxGG9BJ7AWtpPqMvR51KFF58IfCRx3Iligkr+ZuesUDtGU2hUzM+9q tqjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GT8GRZRN7EURxP4ksAEtAObIHDHOaewuq7BP+/USd7I=; fh=CcfUJIEGTKlQtMotVTkpLKXHwfc5lKuuOSMS/xfxjyQ=; b=p/OGgR5CCD0r7AqRnY2J105REgmdCrdOGywFXl56LQMiNr/jGw4yeDYe7lX1/40OgL pK6H7Hl2g04ZbCJ/eceFgqIGgmV6QSHLlrZJpzErjcTut1c+BhpmYaHXa2TjBdrLAiQz MOZQLHstdBw1LPIs0JP5Mly8Z8O6CIVJQHIlRvM4W1m7TiGFGXz8HrEcmDWJGH152/bi wKtaAVe4B2MNeK75NKEiCVvdjxTPy2IgShUQvE7rCaTpupBbOotRO6gNyRtAOdTOSvbh kh1INKBHV65Mch5MWhrDePts+McTYuNMd+x8BqRuW03twsYf/U6B0W1qIw0piAig6XES AlTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MKn6YMal; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id l8-20020a05622a050800b00417a13f2249si3354116qtx.698.2023.09.18.01.34.27 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Sep 2023 01:34:28 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MKn6YMal; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qi9h5-0007Mz-P2; Mon, 18 Sep 2023 04:33:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9gC-0006Dd-OJ for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:34 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9gB-0004EX-5r for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695025946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GT8GRZRN7EURxP4ksAEtAObIHDHOaewuq7BP+/USd7I=; b=MKn6YMalOkfZIFuqS7bHw5t0npkT28aagGuvPGUoDw4quvDKm0vGcugQpCy1IRvlEnTTbH /3qiZ2jl+TyOn8omRSGZwLInY4zSvVlG8ycToZNF2nIeE22y0b1PAshd9QDdZT7Ldw70tC +GYocqnc/f7UmtUH/lzmaRbvAVr/ufg= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-588-BItc9D5jN6elnh_dsMDoeg-1; Mon, 18 Sep 2023 04:32:23 -0400 X-MC-Unique: BItc9D5jN6elnh_dsMDoeg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D697129AA384; Mon, 18 Sep 2023 08:32:22 +0000 (UTC) Received: from localhost.localdomain (unknown [10.72.113.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id D0DE62156702; Mon, 18 Sep 2023 08:32:20 +0000 (UTC) From: Jason Wang To: qemu-devel@nongnu.org Cc: Peter Maydell , Francisco Iglesias , Jason Wang Subject: [PULL V2 16/17] net/dump: Avoid variable length array Date: Mon, 18 Sep 2023 16:31:31 +0800 Message-Id: <20230918083132.55423-17-jasowang@redhat.com> In-Reply-To: <20230918083132.55423-1-jasowang@redhat.com> References: <20230918083132.55423-1-jasowang@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell Use a g_autofree heap allocation instead of a variable length array in dump_receive_iov(). The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Francisco Iglesias Signed-off-by: Jason Wang --- net/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/dump.c b/net/dump.c index 7d05f16..16073f2 100644 --- a/net/dump.c +++ b/net/dump.c @@ -68,7 +68,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt, int64_t ts; int caplen; size_t size = iov_size(iov, cnt) - offset; - struct iovec dumpiov[cnt + 1]; + g_autofree struct iovec *dumpiov = g_new(struct iovec, cnt + 1); /* Early return in case of previous error. */ if (s->fd < 0) { From patchwork Mon Sep 18 08:31:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 724144 Delivered-To: patch@linaro.org Received: by 2002:adf:f0d1:0:b0:31d:da82:a3b4 with SMTP id x17csp1567902wro; Mon, 18 Sep 2023 01:35:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFQCSJGpTHRieYOefkmRu/ruVKw3gymFd2yTQFT9F2LcMXnxMABGbiEjxAv6hHVxEGO0P+a X-Received: by 2002:a05:620a:2944:b0:76f:5b9:3f29 with SMTP id n4-20020a05620a294400b0076f05b93f29mr10687027qkp.2.1695026140464; Mon, 18 Sep 2023 01:35:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695026140; cv=none; d=google.com; s=arc-20160816; b=ATQ93A+p+rbz0cgVLMEyQ3NkxxDJQs/8Kbx4F6ffRo2pgtwBe+J/MNgvkdR0lD6SjD oZXeZuA9vA46ESQCgfQuWTFV0nfbfRpoYB8f9U9ThBAJEezSd0FbsNU9GL5fAzGy+Nnf LHXQiu9xx1tPj3GVCyMabpVAPMZYzzmYWFVEztLYx55MXwAiUYvHd3Oy939874wHiyZY Ti/o3n4vNUp+2iGKb0wrGxndc0BHLrgvECmcIoUQpyOoIpBMHkP7dCkqTvV7O1L497SR RfnvCqbx5Oy4mlWPSm9fYnPbMKExNHvwtSn3CKq6rszlihPetuOD0KXFMNQpevAoD1mR aKqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=r4OySs/MlLnhS4aHMYzmzTaVrGn4YZ/1dItiYGgCXgg=; fh=CcfUJIEGTKlQtMotVTkpLKXHwfc5lKuuOSMS/xfxjyQ=; b=rVKJWYE6TuHOg+OykUAMPoswG+fVFJNoOxzs+Tt24U7uTaW1DjKGCWVeBBsT8WN5dl vqSiJIwgqmxZ12hJ1WR2I4pcGz4R3pRX0rgjd9LDtKmnlRaCcXQCJwdYEmicnZZzV0zN VCtSdrTVBnVY3a+Koy7huvpnOcW0YDo2ghHGavXwlGOyFgVF3cg2WuXzxjMI7CWZAOqB Fyn9+D1Dsc5Il1/lORcRafWJqGS/wMyMPC9yERElJWktNf+ucgDOQ2jRHTzZxXiEC4jo tG9AN7rOcThCaeP3fi5CvbQwUGdQ6263bSP7qzb7pDlp/BSYt+nehUZ+fqg5Ibl8VqdM 6HJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DWxBeGIc; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id tn1-20020a05620a3c0100b007725a68ea34si5540633qkn.89.2023.09.18.01.35.40 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Sep 2023 01:35:40 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DWxBeGIc; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qi9hO-0007z8-11; Mon, 18 Sep 2023 04:33:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9gK-0006ML-7H for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:36 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qi9gF-0004Ev-BQ for qemu-devel@nongnu.org; Mon, 18 Sep 2023 04:32:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695025949; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r4OySs/MlLnhS4aHMYzmzTaVrGn4YZ/1dItiYGgCXgg=; b=DWxBeGIcLpduop4V8vC2A4CDQjRBnYyy3ZE1UnSuzS4PeUdnsaBjbAiZgGcSo5tW611c6i QMvwR3O5+L5Xvt86+aAPzbB8wnWPsK7YnwLHb/gikibBXsICxK0ISMfb8QyM8eyHNVVd90 EE22eO9qLINKF+ImvZJC0KsB6ilBx0M= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-94-7YkuCCHPP2CSqpJKk4sd0A-1; Mon, 18 Sep 2023 04:32:25 -0400 X-MC-Unique: 7YkuCCHPP2CSqpJKk4sd0A-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7B4C23806706; Mon, 18 Sep 2023 08:32:25 +0000 (UTC) Received: from localhost.localdomain (unknown [10.72.113.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 78D8C2156701; Mon, 18 Sep 2023 08:32:23 +0000 (UTC) From: Jason Wang To: qemu-devel@nongnu.org Cc: Peter Maydell , Francisco Iglesias , Jason Wang Subject: [PULL V2 17/17] net/tap: Avoid variable-length array Date: Mon, 18 Sep 2023 16:31:32 +0800 Message-Id: <20230918083132.55423-18-jasowang@redhat.com> In-Reply-To: <20230918083132.55423-1-jasowang@redhat.com> References: <20230918083132.55423-1-jasowang@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell Use a heap allocation instead of a variable length array in tap_receive_iov(). The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Francisco Iglesias Signed-off-by: Jason Wang --- net/tap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/tap.c b/net/tap.c index bcea8d0..c23d032 100644 --- a/net/tap.c +++ b/net/tap.c @@ -118,10 +118,11 @@ static ssize_t tap_receive_iov(NetClientState *nc, const struct iovec *iov, { TAPState *s = DO_UPCAST(TAPState, nc, nc); const struct iovec *iovp = iov; - struct iovec iov_copy[iovcnt + 1]; + g_autofree struct iovec *iov_copy = NULL; struct virtio_net_hdr_mrg_rxbuf hdr = { }; if (s->host_vnet_hdr_len && !s->using_vnet_hdr) { + iov_copy = g_new(struct iovec, iovcnt + 1); iov_copy[0].iov_base = &hdr; iov_copy[0].iov_len = s->host_vnet_hdr_len; memcpy(&iov_copy[1], iov, iovcnt * sizeof(*iov));