From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Jason Wang" <jasowang@redhat.com>
Subject: [PULL V2 14/17] hw/net/fsl_etsec/rings.c: Avoid variable length array
Date: Mon, 18 Sep 2023 16:31:29 +0800 [thread overview]
Message-ID: <20230918083132.55423-15-jasowang@redhat.com> (raw)
In-Reply-To: <20230918083132.55423-1-jasowang@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
In fill_rx_bd() we create a variable length array of size
etsec->rx_padding. In fact we know that this will never be
larger than 64 bytes, because rx_padding is set in rx_init_frame()
in a way that ensures it is only that large. Use a fixed sized
array and assert that it is big enough.
Since padd[] is now potentially rather larger than the actual
padding required, adjust the memset() we do on it to match the
size that we write with cpu_physical_memory_write(), rather than
clearing the entire array.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/fsl_etsec/rings.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c
index 788463f..2f2f359 100644
--- a/hw/net/fsl_etsec/rings.c
+++ b/hw/net/fsl_etsec/rings.c
@@ -372,6 +372,12 @@ void etsec_walk_tx_ring(eTSEC *etsec, int ring_nbr)
etsec->regs[TSTAT].value |= 1 << (31 - ring_nbr);
}
+/*
+ * rx_init_frame() ensures we never do more padding than this
+ * (checksum plus minimum data packet size)
+ */
+#define MAX_RX_PADDING 64
+
static void fill_rx_bd(eTSEC *etsec,
eTSEC_rxtx_bd *bd,
const uint8_t **buf,
@@ -380,9 +386,11 @@ static void fill_rx_bd(eTSEC *etsec,
uint16_t to_write;
hwaddr bufptr = bd->bufptr +
((hwaddr)(etsec->regs[TBDBPH].value & 0xF) << 32);
- uint8_t padd[etsec->rx_padding];
+ uint8_t padd[MAX_RX_PADDING];
uint8_t rem;
+ assert(etsec->rx_padding <= MAX_RX_PADDING);
+
RING_DEBUG("eTSEC fill Rx buffer @ 0x%016" HWADDR_PRIx
" size:%zu(padding + crc:%u) + fcb:%u\n",
bufptr, *size, etsec->rx_padding, etsec->rx_fcb_size);
@@ -426,7 +434,7 @@ static void fill_rx_bd(eTSEC *etsec,
rem = MIN(etsec->regs[MRBLR].value - bd->length, etsec->rx_padding);
if (rem > 0) {
- memset(padd, 0x0, sizeof(padd));
+ memset(padd, 0x0, rem);
etsec->rx_padding -= rem;
*size -= rem;
bd->length += rem;
--
2.7.4
next prev parent reply other threads:[~2023-09-18 8:34 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-18 8:31 [PULL V2 00/17] Net patches Jason Wang
2023-09-18 8:31 ` [PULL V2 01/17] tap: Add USO support to tap device Jason Wang
2023-09-18 8:31 ` [PULL V2 02/17] tap: Add check for USO features Jason Wang
2023-09-18 8:31 ` [PULL V2 03/17] virtio-net: Add USO flags to vhost support Jason Wang
2023-09-18 8:31 ` [PULL V2 04/17] virtio-net: Add support for USO features Jason Wang
2023-09-18 8:31 ` [PULL V2 05/17] igb: remove TCP ACK detection Jason Wang
2023-09-18 8:31 ` [PULL V2 06/17] igb: rename E1000E_RingInfo_st Jason Wang
2023-09-18 8:31 ` [PULL V2 07/17] igb: RX descriptors guest writting refactoring Jason Wang
2023-09-18 8:31 ` [PULL V2 08/17] igb: RX payload " Jason Wang
2023-09-18 8:31 ` [PULL V2 09/17] igb: add IPv6 extended headers traffic detection Jason Wang
2023-09-18 8:31 ` [PULL V2 10/17] igb: packet-split descriptors support Jason Wang
2023-09-18 8:31 ` [PULL V2 11/17] e1000e: rename e1000e_ba_state and e1000e_write_hdr_to_rx_buffers Jason Wang
2023-09-18 8:31 ` [PULL V2 12/17] tests: bump libvirt-ci for libasan and libxdp Jason Wang
2023-09-18 8:31 ` [PULL V2 13/17] net: add initial support for AF_XDP network backend Jason Wang
2023-09-18 8:31 ` Jason Wang [this message]
2023-09-18 8:31 ` [PULL V2 15/17] hw/net/rocker: Avoid variable length array Jason Wang
2023-09-18 8:31 ` [PULL V2 16/17] net/dump: " Jason Wang
2023-09-18 8:31 ` [PULL V2 17/17] net/tap: Avoid variable-length array Jason Wang
2023-09-19 19:12 ` [PULL V2 00/17] Net patches Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230918083132.55423-15-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).