From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
qemu-stable@nongnu.org,
"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PULL 06/14] hw/net/smc91c111: Don't allow data register access to overrun buffer
Date: Tue, 11 Mar 2025 20:51:15 +0100 [thread overview]
Message-ID: <20250311195123.94212-7-philmd@linaro.org> (raw)
In-Reply-To: <20250311195123.94212-1-philmd@linaro.org>
From: Peter Maydell <peter.maydell@linaro.org>
For accesses to the 91c111 data register, the address within the
packet's data frame is determined by a combination of the pointer
register and the offset used to access the data register, so that you
can access data at effectively wider than byte width. The pointer
register's pointer field is 11 bits wide, which is exactly the size
to index a 2048-byte data frame.
We weren't quite getting the logic right for ensuring that we end up
with a pointer value to use in the s->data[][] array that isn't out
of bounds:
* we correctly mask when getting the initial pointer value
* for the "autoincrement the pointer register" case, we
correctly mask after adding 1 so that the pointer register
wraps back around at the 2048 byte mark
* but for the non-autoincrement case where we have to add the
low 2 bits of the data register offset, we don't account
for the possibility that the pointer register is 0x7ff
and the addition should wrap
Fix this bug by factoring out the "get the p value to use as an array
index" into a function, making it use FIELD macro names rather than
hard-coded constants, and having a utility function that does "add a
value and wrap it" that we can use both for the "autoincrement" and
"add the offset bits" codepaths.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2758
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250228191652.1957208-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
hw/net/smc91c111.c | 65 +++++++++++++++++++++++++++++++++++++---------
1 file changed, 53 insertions(+), 12 deletions(-)
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index b05970d5e1c..9ce42b56155 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -13,6 +13,7 @@
#include "net/net.h"
#include "hw/irq.h"
#include "hw/net/smc91c111.h"
+#include "hw/registerfields.h"
#include "hw/qdev-properties.h"
#include "qapi/error.h"
#include "qemu/log.h"
@@ -126,6 +127,13 @@ static const VMStateDescription vmstate_smc91c111 = {
#define RS_TOOSHORT 0x0400
#define RS_MULTICAST 0x0001
+FIELD(PTR, PTR, 0, 11)
+FIELD(PTR, NOT_EMPTY, 11, 1)
+FIELD(PTR, RESERVED, 12, 1)
+FIELD(PTR, READ, 13, 1)
+FIELD(PTR, AUTOINCR, 14, 1)
+FIELD(PTR, RCV, 15, 1)
+
static inline bool packetnum_valid(int packet_num)
{
return packet_num >= 0 && packet_num < NUM_PACKETS;
@@ -372,6 +380,49 @@ static void smc91c111_reset(DeviceState *dev)
#define SET_LOW(name, val) s->name = (s->name & 0xff00) | val
#define SET_HIGH(name, val) s->name = (s->name & 0xff) | (val << 8)
+/*
+ * The pointer register's pointer is an 11 bit value (so it exactly
+ * indexes a 2048-byte data frame). Add the specified offset to it,
+ * wrapping around at the 2048 byte mark, and return the resulting
+ * wrapped value. There are flag bits in the top part of the register,
+ * but we can ignore them here as the mask will mask them out.
+ */
+static int ptr_reg_add(smc91c111_state *s, int offset)
+{
+ return (s->ptr + offset) & R_PTR_PTR_MASK;
+}
+
+/*
+ * For an access to the Data Register at @offset, return the
+ * required offset into the packet's data frame. This will
+ * perform the pointer register autoincrement if required, and
+ * guarantees to return an in-bounds offset.
+ */
+static int data_reg_ptr(smc91c111_state *s, int offset)
+{
+ int p;
+
+ if (s->ptr & R_PTR_AUTOINCR_MASK) {
+ /*
+ * Autoincrement: use the current pointer value, and
+ * increment the pointer register's pointer field.
+ */
+ p = FIELD_EX32(s->ptr, PTR, PTR);
+ s->ptr = FIELD_DP32(s->ptr, PTR, PTR, ptr_reg_add(s, 1));
+ } else {
+ /*
+ * No autoincrement: register offset determines which
+ * byte we're addressing. Setting the pointer to the top
+ * of the data buffer and then using the pointer wrapping
+ * to read the bottom byte of the buffer is not something
+ * sensible guest software will do, but the datasheet
+ * doesn't say what the behaviour is, so we don't forbid it.
+ */
+ p = ptr_reg_add(s, offset & 3);
+ }
+ return p;
+}
+
static void smc91c111_writeb(void *opaque, hwaddr offset,
uint32_t value)
{
@@ -518,12 +569,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
n);
return;
}
- p = s->ptr & 0x07ff;
- if (s->ptr & 0x4000) {
- s->ptr = (s->ptr & 0xf800) | ((s->ptr + 1) & 0x7ff);
- } else {
- p += (offset & 3);
- }
+ p = data_reg_ptr(s, offset);
s->data[n][p] = value;
}
return;
@@ -673,12 +719,7 @@ static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
n);
return 0;
}
- p = s->ptr & 0x07ff;
- if (s->ptr & 0x4000) {
- s->ptr = (s->ptr & 0xf800) | ((s->ptr + 1) & 0x07ff);
- } else {
- p += (offset & 3);
- }
+ p = data_reg_ptr(s, offset);
return s->data[n][p];
}
case 12: /* Interrupt status. */
--
2.47.1
next prev parent reply other threads:[~2025-03-11 19:53 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-11 19:51 [PULL 00/14] Misc HW patches for 2025-03-11 Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 01/14] hw/sd/sdhci: Set reset value of interrupt registers Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 02/14] hw/rtc: Add Ricoh RS5C372 RTC emulation Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 03/14] hw/net/smc91c111: Sanitize packet numbers Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 04/14] hw/net/smc91c111: Sanitize packet length on tx Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 05/14] hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers Philippe Mathieu-Daudé
2025-03-11 19:51 ` Philippe Mathieu-Daudé [this message]
2025-03-11 19:51 ` [PULL 07/14] hw/xen/hvm: Fix Aarch64 typo Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 08/14] system: Extract target-specific globals to their own compilation unit Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 09/14] system: Replace arch_type global by qemu_arch_available() helper Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 10/14] hw/acpi: Introduce acpi_builtin() helper Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 11/14] hw/i386/fw_cfg: Check ACPI availability with acpi_builtin() Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 12/14] hw/virtio/virtio-mem: Remove CONFIG_DEVICES include Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 13/14] hw/hyperv/hyperv-proto: Move SYNDBG definitions from target/i386 Philippe Mathieu-Daudé
2025-03-11 19:51 ` [PULL 14/14] hw/sd/sdhci: Remove need for SDHCI_VENDOR_FSL definition Philippe Mathieu-Daudé
2025-03-11 21:00 ` BALATON Zoltan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250311195123.94212-7-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).