[1/4] hw/net/fsl_etsec/rings.c: Avoid variable length array

Message ID	20230824153224.2517486-2-peter.maydell@linaro.org
State	Superseded
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; From: Peter Maydell <peter.maydell@linaro.org> To: qemu-devel@nongnu.org Cc: Jason Wang <jasowang@redhat.com>, Jiri Pirko <jiri@resnulli.us>, qemu-ppc@nongnu.org Subject: [PATCH 1/4] hw/net/fsl_etsec/rings.c: Avoid variable length array Date: Thu, 24 Aug 2023 16:32:21 +0100 Message-Id: <20230824153224.2517486-2-peter.maydell@linaro.org> In-Reply-To: <20230824153224.2517486-1-peter.maydell@linaro.org> References: <20230824153224.2517486-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::432; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x432.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
Series	net: avoid variable length arrays \| expand [0/4] net: avoid variable length arrays [1/4] hw/net/fsl_etsec/rings.c: Avoid variable length array [2/4] hw/net/rocker: Avoid variable length array [3/4] net/dump: Avoid variable length array [4/4] net/tap: Avoid variable-length array

Message ID

20230824153224.2517486-2-peter.maydell@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: Jason Wang <jasowang@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
 qemu-ppc@nongnu.org
Subject: [PATCH 1/4] hw/net/fsl_etsec/rings.c: Avoid variable length array
Date: Thu, 24 Aug 2023 16:32:21 +0100
Message-Id: <20230824153224.2517486-2-peter.maydell@linaro.org>
In-Reply-To: <20230824153224.2517486-1-peter.maydell@linaro.org>
References: <20230824153224.2517486-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::432;
 envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x432.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Series

net: avoid variable length arrays | expand

Commit Message

Peter Maydell Aug. 24, 2023, 3:32 p.m. UTC

In fill_rx_bd() we create a variable length array of size
etsec->rx_padding. In fact we know that this will never be
larger than 64 bytes, because rx_padding is set in rx_init_frame()
in a way that ensures it is only that large. Use a fixed sized
array and assert that it is big enough.

Since padd[] is now potentially rather larger than the actual
padding required, adjust the memset() we do on it to match the
size that we write with cpu_physical_memory_write(), rather than
clearing the entire array.

The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions.  This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g.  CVE-2021-3527).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/fsl_etsec/rings.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

Comments

Philippe Mathieu-Daudé Aug. 24, 2023, 3:47 p.m. UTC | #1

On 24/8/23 17:32, Peter Maydell wrote:
> In fill_rx_bd() we create a variable length array of size
> etsec->rx_padding. In fact we know that this will never be
> larger than 64 bytes, because rx_padding is set in rx_init_frame()
> in a way that ensures it is only that large. Use a fixed sized
> array and assert that it is big enough.
> 
> Since padd[] is now potentially rather larger than the actual
> padding required, adjust the memset() we do on it to match the
> size that we write with cpu_physical_memory_write(), rather than
> clearing the entire array.
> 
> The codebase has very few VLAs, and if we can get rid of them all we
> can make the compiler error on new additions.  This is a defensive
> measure against security bugs where an on-stack dynamic allocation
> isn't correctly size-checked (e.g.  CVE-2021-3527).
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/net/fsl_etsec/rings.c | 12 ++++++++++--
>   1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c
> index 788463f1b62..2f2f359f7a5 100644
> --- a/hw/net/fsl_etsec/rings.c
> +++ b/hw/net/fsl_etsec/rings.c
> @@ -372,6 +372,12 @@ void etsec_walk_tx_ring(eTSEC *etsec, int ring_nbr)
>       etsec->regs[TSTAT].value |= 1 << (31 - ring_nbr);
>   }
>   
> +/*
> + * rx_init_frame() ensures we never do more padding than this
> + * (checksum plus minimum data packet size)
> + */
> +#define MAX_RX_PADDING 64
> +
>   static void fill_rx_bd(eTSEC          *etsec,
>                          eTSEC_rxtx_bd  *bd,
>                          const uint8_t **buf,
> @@ -380,9 +386,11 @@ static void fill_rx_bd(eTSEC          *etsec,
>       uint16_t to_write;
>       hwaddr   bufptr = bd->bufptr +
>           ((hwaddr)(etsec->regs[TBDBPH].value & 0xF) << 32);
> -    uint8_t  padd[etsec->rx_padding];
> +    uint8_t  padd[MAX_RX_PADDING];
>       uint8_t  rem;
>   
> +    assert(etsec->rx_padding <= MAX_RX_PADDING);
> +
>       RING_DEBUG("eTSEC fill Rx buffer @ 0x%016" HWADDR_PRIx
>                  " size:%zu(padding + crc:%u) + fcb:%u\n",
>                  bufptr, *size, etsec->rx_padding, etsec->rx_fcb_size);
> @@ -426,7 +434,7 @@ static void fill_rx_bd(eTSEC          *etsec,
>           rem = MIN(etsec->regs[MRBLR].value - bd->length, etsec->rx_padding);
>   
>           if (rem > 0) {
> -            memset(padd, 0x0, sizeof(padd));
> +            memset(padd, 0x0, rem);
>               etsec->rx_padding -= rem;
>               *size             -= rem;
>               bd->length        += rem;

Maybe we can add this for clarity:

@@ -468,6 +468,6 @@ static void rx_init_frame(eTSEC *etsec, const 
uint8_t *buf, size_t size)
       * minimum MTU size bytes long (64)
       */
-    if (etsec->rx_buffer_len < 60) {
-        etsec->rx_padding += 60 - etsec->rx_buffer_len;
+    if (etsec->rx_padding + etsec->rx_buffer_len < MAX_RX_PADDING) {
+        etsec->rx_padding = MAX_RX_PADDING - etsec->rx_buffer_len;
      }

Peter Maydell Aug. 24, 2023, 4:01 p.m. UTC | #2

On Thu, 24 Aug 2023 at 16:47, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> On 24/8/23 17:32, Peter Maydell wrote:
> > In fill_rx_bd() we create a variable length array of size
> > etsec->rx_padding. In fact we know that this will never be
> > larger than 64 bytes, because rx_padding is set in rx_init_frame()
> > in a way that ensures it is only that large. Use a fixed sized
> > array and assert that it is big enough.
> >
> > Since padd[] is now potentially rather larger than the actual
> > padding required, adjust the memset() we do on it to match the
> > size that we write with cpu_physical_memory_write(), rather than
> > clearing the entire array.
> >
> > The codebase has very few VLAs, and if we can get rid of them all we
> > can make the compiler error on new additions.  This is a defensive
> > measure against security bugs where an on-stack dynamic allocation
> > isn't correctly size-checked (e.g.  CVE-2021-3527).
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> > ---
> >   hw/net/fsl_etsec/rings.c | 12 ++++++++++--
> >   1 file changed, 10 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c
> > index 788463f1b62..2f2f359f7a5 100644
> > --- a/hw/net/fsl_etsec/rings.c
> > +++ b/hw/net/fsl_etsec/rings.c
> > @@ -372,6 +372,12 @@ void etsec_walk_tx_ring(eTSEC *etsec, int ring_nbr)
> >       etsec->regs[TSTAT].value |= 1 << (31 - ring_nbr);
> >   }
> >
> > +/*
> > + * rx_init_frame() ensures we never do more padding than this
> > + * (checksum plus minimum data packet size)
> > + */
> > +#define MAX_RX_PADDING 64
> > +
> >   static void fill_rx_bd(eTSEC          *etsec,
> >                          eTSEC_rxtx_bd  *bd,
> >                          const uint8_t **buf,
> > @@ -380,9 +386,11 @@ static void fill_rx_bd(eTSEC          *etsec,
> >       uint16_t to_write;
> >       hwaddr   bufptr = bd->bufptr +
> >           ((hwaddr)(etsec->regs[TBDBPH].value & 0xF) << 32);
> > -    uint8_t  padd[etsec->rx_padding];
> > +    uint8_t  padd[MAX_RX_PADDING];
> >       uint8_t  rem;
> >
> > +    assert(etsec->rx_padding <= MAX_RX_PADDING);
> > +
> >       RING_DEBUG("eTSEC fill Rx buffer @ 0x%016" HWADDR_PRIx
> >                  " size:%zu(padding + crc:%u) + fcb:%u\n",
> >                  bufptr, *size, etsec->rx_padding, etsec->rx_fcb_size);
> > @@ -426,7 +434,7 @@ static void fill_rx_bd(eTSEC          *etsec,
> >           rem = MIN(etsec->regs[MRBLR].value - bd->length, etsec->rx_padding);
> >
> >           if (rem > 0) {
> > -            memset(padd, 0x0, sizeof(padd));
> > +            memset(padd, 0x0, rem);
> >               etsec->rx_padding -= rem;
> >               *size             -= rem;
> >               bd->length        += rem;
>
> Maybe we can add this for clarity:
>
> @@ -468,6 +468,6 @@ static void rx_init_frame(eTSEC *etsec, const
> uint8_t *buf, size_t size)
>        * minimum MTU size bytes long (64)
>        */
> -    if (etsec->rx_buffer_len < 60) {
> -        etsec->rx_padding += 60 - etsec->rx_buffer_len;
> +    if (etsec->rx_padding + etsec->rx_buffer_len < MAX_RX_PADDING) {
> +        etsec->rx_padding = MAX_RX_PADDING - etsec->rx_buffer_len;
>       }

I think that's a more confusing way of putting it. What the
code is doing is "if the packet is too short, pad it to
the minimum-packet-length", and the clear way to express
that is "if (packet_len < max) add_more_padding;".

There is potential to use the constants ETH_ZLEN (60) and
ETH_FCS_LEN (4) instead of the hard-coded 60 and 4 currently
in the code, but I felt that was starting to wander a bit
out of scope of just getting rid of the VLA.

thanks
-- PMM

Philippe Mathieu-Daudé Aug. 24, 2023, 4:07 p.m. UTC | #3

On 24/8/23 18:01, Peter Maydell wrote:
> On Thu, 24 Aug 2023 at 16:47, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>>
>> On 24/8/23 17:32, Peter Maydell wrote:
>>> In fill_rx_bd() we create a variable length array of size
>>> etsec->rx_padding. In fact we know that this will never be
>>> larger than 64 bytes, because rx_padding is set in rx_init_frame()
>>> in a way that ensures it is only that large. Use a fixed sized
>>> array and assert that it is big enough.
>>>
>>> Since padd[] is now potentially rather larger than the actual
>>> padding required, adjust the memset() we do on it to match the
>>> size that we write with cpu_physical_memory_write(), rather than
>>> clearing the entire array.
>>>
>>> The codebase has very few VLAs, and if we can get rid of them all we
>>> can make the compiler error on new additions.  This is a defensive
>>> measure against security bugs where an on-stack dynamic allocation
>>> isn't correctly size-checked (e.g.  CVE-2021-3527).
>>>
>>> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>>> ---
>>>    hw/net/fsl_etsec/rings.c | 12 ++++++++++--
>>>    1 file changed, 10 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c
>>> index 788463f1b62..2f2f359f7a5 100644
>>> --- a/hw/net/fsl_etsec/rings.c
>>> +++ b/hw/net/fsl_etsec/rings.c
>>> @@ -372,6 +372,12 @@ void etsec_walk_tx_ring(eTSEC *etsec, int ring_nbr)
>>>        etsec->regs[TSTAT].value |= 1 << (31 - ring_nbr);
>>>    }
>>>
>>> +/*
>>> + * rx_init_frame() ensures we never do more padding than this
>>> + * (checksum plus minimum data packet size)
>>> + */
>>> +#define MAX_RX_PADDING 64


>> Maybe we can add this for clarity:
>>
>> @@ -468,6 +468,6 @@ static void rx_init_frame(eTSEC *etsec, const
>> uint8_t *buf, size_t size)
>>         * minimum MTU size bytes long (64)
>>         */
>> -    if (etsec->rx_buffer_len < 60) {
>> -        etsec->rx_padding += 60 - etsec->rx_buffer_len;
>> +    if (etsec->rx_padding + etsec->rx_buffer_len < MAX_RX_PADDING) {
>> +        etsec->rx_padding = MAX_RX_PADDING - etsec->rx_buffer_len;
>>        }
> 
> I think that's a more confusing way of putting it. What the
> code is doing is "if the packet is too short, pad it to
> the minimum-packet-length", and the clear way to express
> that is "if (packet_len < max) add_more_padding;".
> 
> There is potential to use the constants ETH_ZLEN (60) and
> ETH_FCS_LEN (4) instead of the hard-coded 60 and 4 currently
> in the code, but I felt that was starting to wander a bit
> out of scope of just getting rid of the VLA.

Right. So possibly:

#define MAX_RX_PADDING (ETH_ZLEN + ETH_FCS_LEN)

but 64 is clear enough.

Thanks for the feedback.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c
index 788463f1b62..2f2f359f7a5 100644
--- a/hw/net/fsl_etsec/rings.c
+++ b/hw/net/fsl_etsec/rings.c
@@ -372,6 +372,12 @@  void etsec_walk_tx_ring(eTSEC *etsec, int ring_nbr)
     etsec->regs[TSTAT].value |= 1 << (31 - ring_nbr);
 }
 
+/*
+ * rx_init_frame() ensures we never do more padding than this
+ * (checksum plus minimum data packet size)
+ */
+#define MAX_RX_PADDING 64
+
 static void fill_rx_bd(eTSEC          *etsec,
                        eTSEC_rxtx_bd  *bd,
                        const uint8_t **buf,
@@ -380,9 +386,11 @@  static void fill_rx_bd(eTSEC          *etsec,
     uint16_t to_write;
     hwaddr   bufptr = bd->bufptr +
         ((hwaddr)(etsec->regs[TBDBPH].value & 0xF) << 32);
-    uint8_t  padd[etsec->rx_padding];
+    uint8_t  padd[MAX_RX_PADDING];
     uint8_t  rem;
 
+    assert(etsec->rx_padding <= MAX_RX_PADDING);
+
     RING_DEBUG("eTSEC fill Rx buffer @ 0x%016" HWADDR_PRIx
                " size:%zu(padding + crc:%u) + fcb:%u\n",
                bufptr, *size, etsec->rx_padding, etsec->rx_fcb_size);
@@ -426,7 +434,7 @@  static void fill_rx_bd(eTSEC          *etsec,
         rem = MIN(etsec->regs[MRBLR].value - bd->length, etsec->rx_padding);
 
         if (rem > 0) {
-            memset(padd, 0x0, sizeof(padd));
+            memset(padd, 0x0, rem);
             etsec->rx_padding -= rem;
             *size             -= rem;
             bd->length        += rem;

[1/4] hw/net/fsl_etsec/rings.c: Avoid variable length array

Commit Message

Comments

Patch