From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B8BD6C636D3 for ; Tue, 7 Feb 2023 10:08:58 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pPKti-0000S6-6u; Tue, 07 Feb 2023 05:08:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pPKtV-0000PL-26; Tue, 07 Feb 2023 05:08:09 -0500 Received: from mail.ozlabs.org ([2404:9400:2221:ea00::3] helo=gandalf.ozlabs.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pPKtR-0002Mp-Bb; Tue, 07 Feb 2023 05:08:07 -0500 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by gandalf.ozlabs.org (Postfix) with ESMTP id 4P9zN24BkZz4y02; Tue, 7 Feb 2023 21:08:02 +1100 (AEDT) Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 4P9zN01W77z4xyf; Tue, 7 Feb 2023 21:07:59 +1100 (AEDT) From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: Peter Maydell , Stephen Longfield , Hao Wu , Joel Stanley , =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Subject: [PULL 04/25] hw/net: Fix read of uninitialized memory in ftgmac100 Date: Tue, 7 Feb 2023 11:07:23 +0100 Message-Id: <20230207100744.698694-5-clg@kaod.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230207100744.698694-1-clg@kaod.org> References: <20230207100744.698694-1-clg@kaod.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2404:9400:2221:ea00::3; envelope-from=SRS0=a43c=6D=kaod.org=clg@ozlabs.org; helo=gandalf.ozlabs.org X-Spam_score_int: -39 X-Spam_score: -4.0 X-Spam_bar: ---- X-Spam_report: (-4.0 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Stephen Longfield With the `size += 4` before the call to `crc32`, the CRC calculation would overrun the buffer. Size is used in the while loop starting on line 1009 to determine how much data to write back, with the last four bytes coming from `crc_ptr`, so do need to increase it, but should do this after the computation. I'm unsure why this use of uninitialized memory in the CRC doesn't result in CRC errors, but it seems clear to me that it should not be included in the calculation. Signed-off-by: Stephen Longfield Reviewed-by: Hao Wu Reviewed-by: Joel Stanley Message-Id: <20221220221437.3303721-1-slongfield@google.com> Signed-off-by: Cédric Le Goater --- hw/net/ftgmac100.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c index 83ef0a783e..d3bf14be53 100644 --- a/hw/net/ftgmac100.c +++ b/hw/net/ftgmac100.c @@ -980,9 +980,9 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf, return size; } - /* 4 bytes for the CRC. */ - size += 4; crc = cpu_to_be32(crc32(~0, buf, size)); + /* Increase size by 4, loop below reads the last 4 bytes from crc_ptr. */ + size += 4; crc_ptr = (uint8_t *) &crc; /* Huge frames are truncated. */ -- 2.39.1