From patchwork Mon Feb 10 20:42:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 863842 Delivered-To: patch@linaro.org Received: by 2002:a5d:4e42:0:b0:385:e875:8a9e with SMTP id r2csp1792549wrt; Mon, 10 Feb 2025 12:47:08 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWjMWxunnNFRPRnWDcCq7cdBajjjZhrXDln6DJPFMBaiZm4uMLomsI7DEL6nOovLJulmU/12w==@linaro.org X-Google-Smtp-Source: AGHT+IGBoyAKSS9erEyHzsJDT+1P00mGAFwUPbhVZVEqBlVX+gpyrC/h2WC75yqy0RdLYTPS417V X-Received: by 2002:a05:6102:419e:b0:4bb:d394:46d7 with SMTP id ada2fe7eead31-4bbd3945845mr2501004137.6.1739220428149; Mon, 10 Feb 2025 12:47:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1739220428; cv=none; d=google.com; s=arc-20240605; b=WUH0/JLLuZqgYxqucW58tWFudI5JcLaDp/HcEWsVhDyLXSCUzVgTPNVOJpaiXggsNH a6cu/BRAHzAL625bpbfeosRJWt9XNTIyJ8uUSSNqbho+hyjqNfiCm2dK8yioo3Nc9j7+ Ew9T1HOkZISNPPLFaexla1CykZXotVaUKsrWEwllbyjPBMiTdlPjHKRCxqtLDvrp7KPb 4Zf3x1pxEC5Aj/PI3HGyrrU5RS/4F0OrKuktjA2vmzRZ0+Bq6QxgDiooXTr2x/800VCk FBkCPxY1Abm3GftEJeEK+39YvKaQ5s00prBcoMsvRP/UjB1fCAV244Qo+zwIimhxFZEU 6hCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DX9DBgf/ZOjZteqt+lpORZoLsvdeqNqe4QCTU3mIslQ=; fh=LrPQuEKVF+Dsx2F4DCB8BVVQW8BdXsyh1KCq0lVL1mo=; b=c+gOin3S26m22Qo1DqlG6EIiXFuXW0HBclLn5RvcV6RsmXfOUHNkmSTDkH7LLCCUnE cgRw861fCk4/MlvXzstkucTsfm1/ER6o0NwTDOhcOoHRoRXq3HXHY3VnPZszHEHktmpo 0zsXJ9L2FyKlW+5/SSlGsmE2nN2vIeo/5fevXObwskCTAnb4Cdry0oxdN11Vb1oXcaOt i0W4zmAyoBELowyFlolb88Pg7aNqZ79wyatqaCEQXqTVqDlhV+fhtbKPY1oHOxgmw2Cq jAlVFL91x0/zYwN5QkF2qxIhUHkhwSZ0zMljBSpt1wiG/5YahUFnQQUfkiFyow6b3C8a MM4A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aFl8WVcB; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id ada2fe7eead31-4bbd39420cesi460695137.219.2025.02.10.12.47.08 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 10 Feb 2025 12:47:08 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aFl8WVcB; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1thaeJ-0005zV-5S; Mon, 10 Feb 2025 15:44:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1thaeE-0005QB-4Z for qemu-devel@nongnu.org; Mon, 10 Feb 2025 15:44:54 -0500 Received: from mail-wr1-x42a.google.com ([2a00:1450:4864:20::42a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1thaeB-00044G-OO for qemu-devel@nongnu.org; Mon, 10 Feb 2025 15:44:53 -0500 Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-38dc33931d3so2064072f8f.1 for ; Mon, 10 Feb 2025 12:44:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1739220289; x=1739825089; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DX9DBgf/ZOjZteqt+lpORZoLsvdeqNqe4QCTU3mIslQ=; b=aFl8WVcBNxqk6VFSulXAazssOGbIMqlsh6dyZFDpWf26BlolJ0Pup6aOQTcqAHjyPo tC/PUvupnp25athQhnC/zbRuRwxQbKKs7Uzx71g7RvBCLU/p+Fc23mjz9r4r0x6N4iW0 zOM6N24Hv1GxhnN62uwx2Wu/xXWBPmYNG57YSE5k6YytzSJOSLCAH/jQe/jAqikoE3l9 FdoSB32VyCEmpn5c6UJGLtGQk/zxZJ3qshDIvvJta9OfzqMyhaQEunT6Rj6E75BjTNs+ yyDOdUTilOPgUDfoMxhCWijkARBEmLvRTAvZ3GHa65SiEPW3prhKq9Y8FN5eqznEH7ZT PArg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739220289; x=1739825089; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DX9DBgf/ZOjZteqt+lpORZoLsvdeqNqe4QCTU3mIslQ=; b=LMi4NR8bebWI5CSATBoFgoaEnWzoU/cST8i9lPlgd5V7RlVVe84oS0L3It5Bbi+Kqv VatADdebg88surD3XL8uU+RjRyO1bWK+P/F1A6xJsaBPPLT9DCA5CLhL0VllvN0SdJ9d hI4dO8ghrFP09st6uEKXKQRQe5KYaBWSCE7Mv+yqmyixyAAmHLIEeUrvPmSv5WWLjcnN AjUJ0bMKlhlUuULQ7L0pzLRf6blcdGuupGUMx9nFZSboDjiqhlWh0CHPeuoYZHauY1QW wmDdV9QmpRySlGzIXOE6Pb4mjcRABnpDJiMQrPXXnSJ451MYhdwLR2k+TetDBQtsgN55 iMOQ== X-Gm-Message-State: AOJu0YwmV80gi8w49+mlMmJBoMQzYRKSceRBaMTqUbmywzA9YOvWQKG0 CsvF1YxEYclQUVJFKqG6BfBUMI3xepTmCTwyibgP76m/DstkhoUP+/F63+5LqmCtyTnfJbPdc6A GvMY= X-Gm-Gg: ASbGnct8ZOyRqew9/nRTaEufCvZVXQLf4h3lD0eIAFPpMKbLqFFgfTatiMJ6FAA81/n KXKFjFLtHqGXhGyNwNXGsGpcai7UuMS3yIGbugBo4RpmpZ5Tet55RnlraSS8dZWtKHtWm1GnyYw vP00ZpJXGhpdVMR/BycckYQ56DbbEBeZ60Jy7jn1OnyhQmmRHxTNRej+erl3LoMrmkF8JD9+i6N nLOyG285uqgjUBqZly8J96/HjhgnrPLZWA3WoQT98DozYpaZUT5mX1llTM6KrzEbasURMhdkL1v mXHZDIH1WyeneyGNjEIYGW6jfCxtTmxasYgKB8Jbve+At15qRVMNE7yH3KU7F+gJhQ== X-Received: by 2002:a05:6000:186f:b0:38d:e052:625a with SMTP id ffacd0b85a97d-38de05263fbmr4435911f8f.16.1739220289575; Mon, 10 Feb 2025 12:44:49 -0800 (PST) Received: from localhost.localdomain (88-187-86-199.subs.proxad.net. [88.187.86.199]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4390db11200sm189100565e9.38.2025.02.10.12.44.48 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 10 Feb 2025 12:44:49 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Peter Maydell , qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [PULL 32/32] hw/net/smc91c111: Ignore attempt to pop from empty RX fifo Date: Mon, 10 Feb 2025 21:42:04 +0100 Message-ID: <20250210204204.54407-33-philmd@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250210204204.54407-1-philmd@linaro.org> References: <20250210204204.54407-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::42a; envelope-from=philmd@linaro.org; helo=mail-wr1-x42a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell The SMC91C111 includes an MMU Command register which permits the guest to remove entries from the RX FIFO. The datasheet does not specify what happens if the guest tries to do this when the FIFO is already empty; there are no status registers containing error bits which might be applicable. Currently we don't guard at all against pop of an empty RX FIFO, with the result that we allow the guest to drive the rx_fifo_len index to negative values, which will cause smc91c111_receive() to write to the rx_fifo[] array out of bounds when we receive the next packet. Instead ignore attempts to pop an empty RX FIFO. Cc: qemu-stable@nongnu.org Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250207151157.3151776-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé --- hw/net/smc91c111.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index b18d5c23c39..0e13dfa18b2 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -182,6 +182,15 @@ static void smc91c111_pop_rx_fifo(smc91c111_state *s) { int i; + if (s->rx_fifo_len == 0) { + /* + * The datasheet doesn't document what the behaviour is if the + * guest tries to pop an empty RX FIFO, and there's no obvious + * error status register to report it. Just ignore the attempt. + */ + return; + } + s->rx_fifo_len--; if (s->rx_fifo_len) { for (i = 0; i < s->rx_fifo_len; i++)