From patchwork Tue May 13 15:31:31 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 30110 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-qa0-f72.google.com (mail-qa0-f72.google.com [209.85.216.72]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id D961220446 for ; Tue, 13 May 2014 16:31:15 +0000 (UTC) Received: by mail-qa0-f72.google.com with SMTP id hw13sf1373657qab.7 for ; Tue, 13 May 2014 09:31:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=B9nDo9Kj4bKY46MyaDQj4pGGogDLDXX0i8BazkxHchs=; b=kaE2G3DJ714cWv5g4s5GwfL4JfrN7GpLw0lvN1P9fuQCwvoOv0mRF2wvQv+G1vrC5L YUdyF4BolZUU1b3m7jYu+6Boz2oIiRCgLpmaXj8bTsIgJceWOZqGi//j7VfKMBIroL/L R8dtfU5ub4T+0kBgZdQDbRRhqWXqJZ861JTMzHCWs7LIgxIgk6j2NYrxHZUaPcyWf+73 G67vSg03sI7kFvn+sbJJtnD1vwSEz1jv4dk/p5SxX4btDZD6wwbUk8LipX8QVEFYfavz ioLVOL2UI5ihRRlP2r/HZ45sr//g4mMUBt8rKLq0p9y/uRLtpzm6/U+wvjxBOEU/P1P0 VQBQ== X-Gm-Message-State: ALoCoQlUEi6Mlr8yh9/paDb7lwWR+XU962q4YpTpD6PE/yrdlx6mHJ3ZFPhgVvdpYB7EzJjndNzD X-Received: by 10.58.198.130 with SMTP id jc2mr982212vec.9.1399998675611; Tue, 13 May 2014 09:31:15 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.32.203 with SMTP id h69ls1994786qgh.56.gmail; Tue, 13 May 2014 09:31:15 -0700 (PDT) X-Received: by 10.220.133.197 with SMTP id g5mr29891497vct.20.1399998675423; Tue, 13 May 2014 09:31:15 -0700 (PDT) Received: from mail-vc0-f176.google.com (mail-vc0-f176.google.com [209.85.220.176]) by mx.google.com with ESMTPS id j20si2733815vcx.127.2014.05.13.09.31.15 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 May 2014 09:31:15 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.176 as permitted sender) client-ip=209.85.220.176; Received: by mail-vc0-f176.google.com with SMTP id lg15so778351vcb.7 for ; Tue, 13 May 2014 09:31:15 -0700 (PDT) X-Received: by 10.221.64.80 with SMTP id xh16mr2195906vcb.35.1399998675284; Tue, 13 May 2014 09:31:15 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.220.221.72 with SMTP id ib8csp165098vcb; Tue, 13 May 2014 09:31:14 -0700 (PDT) X-Received: by 10.224.92.144 with SMTP id r16mr50090682qam.10.1399998673809; Tue, 13 May 2014 09:31:13 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [208.118.235.17]) by mx.google.com with ESMTPS id 4si8021565qcl.68.2014.05.13.09.31.13 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 13 May 2014 09:31:13 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; Received: from localhost ([::1]:45876 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkEj9-0003VV-Cm for patch@linaro.org; Tue, 13 May 2014 11:34:47 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42171) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkEgK-00081Q-26 for qemu-devel@nongnu.org; Tue, 13 May 2014 11:31:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WkEgI-0006A9-Vg for qemu-devel@nongnu.org; Tue, 13 May 2014 11:31:52 -0400 Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:48125) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkEgI-00066p-J8 for qemu-devel@nongnu.org; Tue, 13 May 2014 11:31:50 -0400 Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80) (envelope-from ) id 1WkEg7-0006wt-IX; Tue, 13 May 2014 16:31:39 +0100 From: Peter Maydell To: Anthony Liguori Date: Tue, 13 May 2014 16:31:31 +0100 Message-Id: <1399995099-26635-10-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1399995099-26635-1-git-send-email-peter.maydell@linaro.org> References: <1399995099-26635-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:8b0:1d0::1 Cc: qemu-devel@nongnu.org Subject: [Qemu-devel] [PULL 09/17] hw/net/stellaris_enet: Convert to vmstate X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: peter.maydell@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.176 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 Convert this device to use vmstate for its save/load, including providing a post_load function that sanitizes inbound data to avoid possible buffer overflows if it is malicious. The sanitizing fixes CVE-2013-4532 (though nobody should be relying on the security properties of most of the unmaintained ARM board models anyway, and migration doesn't actually work on this board due to issues in other device models). Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Reviewed-by: Michael S. Tsirkin --- hw/net/stellaris_enet.c | 148 ++++++++++++++++++++++++++---------------------- 1 file changed, 80 insertions(+), 68 deletions(-) diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c index 9e8f143..c9ee5d3 100644 --- a/hw/net/stellaris_enet.c +++ b/hw/net/stellaris_enet.c @@ -47,6 +47,11 @@ do { fprintf(stderr, "stellaris_enet: error: " fmt , ## __VA_ARGS__);} while (0) OBJECT_CHECK(stellaris_enet_state, (obj), TYPE_STELLARIS_ENET) typedef struct { + uint8_t data[2048]; + uint32_t len; +} StellarisEnetRxFrame; + +typedef struct { SysBusDevice parent_obj; uint32_t ris; @@ -59,22 +64,89 @@ typedef struct { uint32_t mtxd; uint32_t mrxd; uint32_t np; - int tx_fifo_len; + uint32_t tx_fifo_len; uint8_t tx_fifo[2048]; /* Real hardware has a 2k fifo, which works out to be at most 31 packets. We implement a full 31 packet fifo. */ - struct { - uint8_t data[2048]; - int len; - } rx[31]; - int rx_fifo_offset; - int next_packet; + StellarisEnetRxFrame rx[31]; + uint32_t rx_fifo_offset; + uint32_t next_packet; NICState *nic; NICConf conf; qemu_irq irq; MemoryRegion mmio; } stellaris_enet_state; +static const VMStateDescription vmstate_rx_frame = { + .name = "stellaris_enet/rx_frame", + .version_id = 1, + .minimum_version_id = 1, + .fields = (VMStateField[]) { + VMSTATE_UINT8_ARRAY(data, StellarisEnetRxFrame, 2048), + VMSTATE_UINT32(len, StellarisEnetRxFrame), + VMSTATE_END_OF_LIST() + } +}; + +static int stellaris_enet_post_load(void *opaque, int version_id) +{ + stellaris_enet_state *s = opaque; + int i; + + /* Sanitize inbound state. Note that next_packet is an index but + * np is a size; hence their valid upper bounds differ. + */ + if (s->next_packet >= ARRAY_SIZE(s->rx)) { + return -1; + } + + if (s->np > ARRAY_SIZE(s->rx)) { + return -1; + } + + for (i = 0; i < ARRAY_SIZE(s->rx); i++) { + if (s->rx[i].len > ARRAY_SIZE(s->rx[i].data)) { + return -1; + } + } + + if (s->rx_fifo_offset > ARRAY_SIZE(s->rx[0].data) - 4) { + return -1; + } + + if (s->tx_fifo_len > ARRAY_SIZE(s->tx_fifo)) { + return -1; + } + + return 0; +} + +static const VMStateDescription vmstate_stellaris_enet = { + .name = "stellaris_enet", + .version_id = 2, + .minimum_version_id = 2, + .post_load = stellaris_enet_post_load, + .fields = (VMStateField[]) { + VMSTATE_UINT32(ris, stellaris_enet_state), + VMSTATE_UINT32(im, stellaris_enet_state), + VMSTATE_UINT32(rctl, stellaris_enet_state), + VMSTATE_UINT32(tctl, stellaris_enet_state), + VMSTATE_UINT32(thr, stellaris_enet_state), + VMSTATE_UINT32(mctl, stellaris_enet_state), + VMSTATE_UINT32(mdv, stellaris_enet_state), + VMSTATE_UINT32(mtxd, stellaris_enet_state), + VMSTATE_UINT32(mrxd, stellaris_enet_state), + VMSTATE_UINT32(np, stellaris_enet_state), + VMSTATE_UINT32(tx_fifo_len, stellaris_enet_state), + VMSTATE_UINT8_ARRAY(tx_fifo, stellaris_enet_state, 2048), + VMSTATE_STRUCT_ARRAY(rx, stellaris_enet_state, 31, 1, + vmstate_rx_frame, StellarisEnetRxFrame), + VMSTATE_UINT32(rx_fifo_offset, stellaris_enet_state), + VMSTATE_UINT32(next_packet, stellaris_enet_state), + VMSTATE_END_OF_LIST() + } +}; + static void stellaris_enet_update(stellaris_enet_state *s) { qemu_set_irq(s->irq, (s->ris & s->im) != 0); @@ -379,63 +451,6 @@ static void stellaris_enet_reset(stellaris_enet_state *s) s->tx_fifo_len = 0; } -static void stellaris_enet_save(QEMUFile *f, void *opaque) -{ - stellaris_enet_state *s = (stellaris_enet_state *)opaque; - int i; - - qemu_put_be32(f, s->ris); - qemu_put_be32(f, s->im); - qemu_put_be32(f, s->rctl); - qemu_put_be32(f, s->tctl); - qemu_put_be32(f, s->thr); - qemu_put_be32(f, s->mctl); - qemu_put_be32(f, s->mdv); - qemu_put_be32(f, s->mtxd); - qemu_put_be32(f, s->mrxd); - qemu_put_be32(f, s->np); - qemu_put_be32(f, s->tx_fifo_len); - qemu_put_buffer(f, s->tx_fifo, sizeof(s->tx_fifo)); - for (i = 0; i < 31; i++) { - qemu_put_be32(f, s->rx[i].len); - qemu_put_buffer(f, s->rx[i].data, sizeof(s->rx[i].data)); - - } - qemu_put_be32(f, s->next_packet); - qemu_put_be32(f, s->rx_fifo_offset); -} - -static int stellaris_enet_load(QEMUFile *f, void *opaque, int version_id) -{ - stellaris_enet_state *s = (stellaris_enet_state *)opaque; - int i; - - if (version_id != 1) - return -EINVAL; - - s->ris = qemu_get_be32(f); - s->im = qemu_get_be32(f); - s->rctl = qemu_get_be32(f); - s->tctl = qemu_get_be32(f); - s->thr = qemu_get_be32(f); - s->mctl = qemu_get_be32(f); - s->mdv = qemu_get_be32(f); - s->mtxd = qemu_get_be32(f); - s->mrxd = qemu_get_be32(f); - s->np = qemu_get_be32(f); - s->tx_fifo_len = qemu_get_be32(f); - qemu_get_buffer(f, s->tx_fifo, sizeof(s->tx_fifo)); - for (i = 0; i < 31; i++) { - s->rx[i].len = qemu_get_be32(f); - qemu_get_buffer(f, s->rx[i].data, sizeof(s->rx[i].data)); - - } - s->next_packet = qemu_get_be32(f); - s->rx_fifo_offset = qemu_get_be32(f); - - return 0; -} - static void stellaris_enet_cleanup(NetClientState *nc) { stellaris_enet_state *s = qemu_get_nic_opaque(nc); @@ -467,8 +482,6 @@ static int stellaris_enet_init(SysBusDevice *sbd) qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a); stellaris_enet_reset(s); - register_savevm(dev, "stellaris_enet", -1, 1, - stellaris_enet_save, stellaris_enet_load, s); return 0; } @@ -476,8 +489,6 @@ static void stellaris_enet_unrealize(DeviceState *dev, Error **errp) { stellaris_enet_state *s = STELLARIS_ENET(dev); - unregister_savevm(DEVICE(s), "stellaris_enet", s); - memory_region_destroy(&s->mmio); } @@ -494,6 +505,7 @@ static void stellaris_enet_class_init(ObjectClass *klass, void *data) k->init = stellaris_enet_init; dc->unrealize = stellaris_enet_unrealize; dc->props = stellaris_enet_properties; + dc->vmsd = &vmstate_stellaris_enet; } static const TypeInfo stellaris_enet_info = {