[0/3] hw/net/smc91c111: Fix potential array overflows

Message ID	20250228174802.1945417-1-peter.maydell@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; From: Peter Maydell <peter.maydell@linaro.org> To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Jason Wang <jasowang@redhat.com> Subject: [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows Date: Fri, 28 Feb 2025 17:47:58 +0000 Message-ID: <20250228174802.1945417-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::333; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x333.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
Series	hw/net/smc91c111: Fix potential array overflows \| expand [0/3] hw/net/smc91c111: Fix potential array overflows [1/3] hw/net/smc91c111: Sanitize packet numbers [2/3] hw/net/smc91c111: Sanitize packet length on tx [3/3] hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers

Message ID

20250228174802.1945417-1-peter.maydell@linaro.org

Headers

Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-arm@nongnu.org,
	qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
	Jason Wang <jasowang@redhat.com>
Subject: [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows
Date: Fri, 28 Feb 2025 17:47:58 +0000
Message-ID: <20250228174802.1945417-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::333;
 envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x333.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Series

hw/net/smc91c111: Fix potential array overflows | expand

Message

Peter Maydell Feb. 28, 2025, 5:47 p.m. UTC

This patchset fixes some potential array overflows in the
smc91c111 ethernet device model, including the one found in
https://gitlab.com/qemu-project/qemu/-/issues/2742

There are two classes of bugs:
 * we accept packet numbers from the guest, but we were not
   validating that they were in range before using them as an
   index into the data[][] array
 * we didn't sanitize the length field read from the data
   frame on tx before using it as an index to find the
   control byte at the end of the frame, so we could read off
   the end of the buffer

This patchset fixes both of these. The datasheet is sadly
silent on the h/w behaviour for these errors, so I opted to
LOG_GUEST_ERROR and silently ignore the invalid operations.

Patch 3 tidies up the existing code to use a constant defined
in patch 2; I put it last so we can cc the first two patches
to stable without having to also backport that patch.

thanks
-- PMM

Peter Maydell (3):
  hw/net/smc91c111: Sanitize packet numbers
  hw/net/smc91c111: Sanitize packet length on tx
  hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers

 hw/net/smc91c111.c | 87 +++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 79 insertions(+), 8 deletions(-)

Comments

Peter Maydell Feb. 28, 2025, 7:22 p.m. UTC | #1

On Fri, 28 Feb 2025 at 17:48, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> This patchset fixes some potential array overflows in the
> smc91c111 ethernet device model, including the one found in
> https://gitlab.com/qemu-project/qemu/-/issues/2742
>
> There are two classes of bugs:
>  * we accept packet numbers from the guest, but we were not
>    validating that they were in range before using them as an
>    index into the data[][] array
>  * we didn't sanitize the length field read from the data
>    frame on tx before using it as an index to find the
>    control byte at the end of the frame, so we could read off
>    the end of the buffer
>
> This patchset fixes both of these. The datasheet is sadly
> silent on the h/w behaviour for these errors, so I opted to
> LOG_GUEST_ERROR and silently ignore the invalid operations.
>
> Patch 3 tidies up the existing code to use a constant defined
> in patch 2; I put it last so we can cc the first two patches
> to stable without having to also backport that patch.

See also the other smc91c111 fuzzer fix patch:
https://patchew.org/QEMU/20250228191652.1957208-1-peter.maydell@linaro.org/

(if I need to do a v2 of this series I'll put that one in too)

-- PMM