From patchwork Sat Mar 15 06:17:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 873848 Delivered-To: patch@linaro.org Received: by 2002:a5d:4308:0:b0:38f:210b:807b with SMTP id h8csp1063756wrq; Fri, 14 Mar 2025 23:33:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXojcs2rVEFI9/ppgoukGKjGx1hUCkeJNM3F730VTRc+g4v4orTsjPkBrmRsgohsIj+BprY7Q==@linaro.org X-Google-Smtp-Source: AGHT+IFjYfAJxCWPNRJEz9Rj0NwFXe4wAWfMRB/m9bbWfvAmDbGw2P87M449a1+T4YSrD7IBc1bK X-Received: by 2002:a05:6214:518e:b0:6e8:fcc9:a291 with SMTP id 6a1803df08f44-6eaeaa577e8mr66733036d6.23.1742020427273; Fri, 14 Mar 2025 23:33:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742020427; cv=none; d=google.com; s=arc-20240605; b=hrZRdYKIR83R93nTdUD20LbGe38jnUsTwvmFxV6SP7vWocG3G1923MH9iOGvqn+Vlp 8lDS9FulNnsC8QHXwOhhuO8Y5LDSZllL8hxf3wNCOayNwJoMOaZCISYG8Zdqon5ogIrX 5+58QCKEMTm1G6wEeyp47JKLnZ1x+njG7Q+lIJUcM38aWh6yowO58mFYgyKalZDbue0+ 1qLPfGR/W9tyKYQHA8Sww5yYaD0gwUOyp+Bmb2yVggQxqyMFnRdBrI3xgWAjURAVk3RM 9cVVysIQFYj44zXkMXJifSLj1mToOl9oRsWidQM9qa+PBvOnAGwTQh0WnlszBIzPh945 zWkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=nmcAxKikSulRVz3kfnvdsmfLS3OmmDecDj8+CmC1PbY=; fh=He0A/96iGS/hdBTIvTFKPoE7yByjlEm52ubAJxr7bqo=; b=RFnZw/y0kLdv+tt1Xd6UOxloj2s21Xf+opT9RiFUrSr7sOKVRjQABoqgkpGpE/a6sk V633opD/ZGV3t3BduhZ//hBDkKyYDtPpJUChMQOgERYMh5WoLVCmFQMhiB71w98uCkck glcz4YZJZsQXrg7wUFRdVCdyDjVdhiUqX3c6bPUz5icRc+ekXyzQ3R6Imri0aATnEQRD RHvOMkfPlwaKFCV2oCoVeqboTbmzL/DptP6D4yPRsn7iiMJ5Ev7Pwujl7uqYc8t3ZbtY xnZkV5LgDn9h+9RZXzjZlIzCF1ko2+Z/y0NdfcoM3zP1uC+chJXOAq11yq4Oi2tEB7mV 3Kjw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id 6a1803df08f44-6eade35744bsi52642186d6.353.2025.03.14.23.33.47 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 14 Mar 2025 23:33:47 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ttKwv-0006hc-Vq; Sat, 15 Mar 2025 02:24:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ttKv6-0003Rm-O9; Sat, 15 Mar 2025 02:22:53 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ttKv4-0003ro-Bh; Sat, 15 Mar 2025 02:22:52 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2FDA8FF9FB; Sat, 15 Mar 2025 09:17:08 +0300 (MSK) Received: from gandalf.tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with ESMTP id 02FCC1CAC64; Sat, 15 Mar 2025 09:18:02 +0300 (MSK) Received: by gandalf.tls.msk.ru (Postfix, from userid 1000) id 9C3E35590D; Sat, 15 Mar 2025 09:18:01 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-9.2.3 47/51] hw/net/smc91c111: Sanitize packet length on tx Date: Sat, 15 Mar 2025 09:17:53 +0300 Message-Id: <20250315061801.622606-47-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.5 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell When the smc91c111 transmits a packet, it must read a control byte which is at the end of the data area and CRC. However, we don't sanitize the length field in the packet buffer, so if the guest sets the length field to something large we will try to read past the end of the packet data buffer when we access the control byte. As usual, the datasheet says nothing about the behaviour of the hardware if the guest misprograms it in this way. It says only that the maximum valid length is 2048 bytes. We choose to log the guest error and silently drop the packet. This requires us to factor out the "mark the tx packet as complete" logic, so we can call it for this "drop packet" case as well as at the end of the loop when we send a valid packet. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2742 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250228174802.1945417-3-peter.maydell@linaro.org> [PMD: Update smc91c111_do_tx() as len > MAX_PACKET_SIZE] Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit aad6f264add3f2be72acb660816588fe09110069) Signed-off-by: Michael Tokarev diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index 48a6b3fb0d..aef5477d03 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -22,6 +22,13 @@ /* Number of 2k memory pages available. */ #define NUM_PACKETS 4 +/* + * Maximum size of a data frame, including the leading status word + * and byte count fields and the trailing CRC, last data byte + * and control byte (per figure 8-1 in the Microchip Technology + * LAN91C111 datasheet). + */ +#define MAX_PACKET_SIZE 2048 #define TYPE_SMC91C111 "smc91c111" OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111) @@ -240,6 +247,16 @@ static void smc91c111_release_packet(smc91c111_state *s, int packet) smc91c111_flush_queued_packets(s); } +static void smc91c111_complete_tx_packet(smc91c111_state *s, int packetnum) +{ + if (s->ctr & CTR_AUTO_RELEASE) { + /* Race? */ + smc91c111_release_packet(s, packetnum); + } else if (s->tx_fifo_done_len < NUM_PACKETS) { + s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; + } +} + /* Flush the TX FIFO. */ static void smc91c111_do_tx(smc91c111_state *s) { @@ -263,6 +280,17 @@ static void smc91c111_do_tx(smc91c111_state *s) *(p++) = 0x40; len = *(p++); len |= ((int)*(p++)) << 8; + if (len > MAX_PACKET_SIZE) { + /* + * Datasheet doesn't say what to do here, and there is no + * relevant tx error condition listed. Log, and drop the packet. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "smc91c111: tx packet with bad length %d, dropping\n", + len); + smc91c111_complete_tx_packet(s, packetnum); + continue; + } len -= 6; control = p[len + 1]; if (control & 0x20) @@ -291,11 +319,7 @@ static void smc91c111_do_tx(smc91c111_state *s) } } #endif - if (s->ctr & CTR_AUTO_RELEASE) - /* Race? */ - smc91c111_release_packet(s, packetnum); - else if (s->tx_fifo_done_len < NUM_PACKETS) - s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; + smc91c111_complete_tx_packet(s, packetnum); qemu_send_packet(qemu_get_queue(s->nic), p, len); } s->tx_fifo_len = 0;