From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-arm@nongnu.org, qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jason Wang <jasowang@redhat.com>
Subject: Re: [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows
Date: Fri, 7 Mar 2025 10:40:58 +0000 [thread overview]
Message-ID: <CAFEAcA8+oA6jJPrN_o3VDbSETyZugsFrRZH7uUSP9i6KdQE3vQ@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA9RPnZdf5zqFwu255-LdJ5inFbjtCA8SJ4o89aiUuabpA@mail.gmail.com>
Ping for review of this series (and the other smc91c111
patch I link below), please?
thanks
-- PMM
On Fri, 28 Feb 2025 at 19:22, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Fri, 28 Feb 2025 at 17:48, Peter Maydell <peter.maydell@linaro.org> wrote:
> >
> > This patchset fixes some potential array overflows in the
> > smc91c111 ethernet device model, including the one found in
> > https://gitlab.com/qemu-project/qemu/-/issues/2742
> >
> > There are two classes of bugs:
> > * we accept packet numbers from the guest, but we were not
> > validating that they were in range before using them as an
> > index into the data[][] array
> > * we didn't sanitize the length field read from the data
> > frame on tx before using it as an index to find the
> > control byte at the end of the frame, so we could read off
> > the end of the buffer
> >
> > This patchset fixes both of these. The datasheet is sadly
> > silent on the h/w behaviour for these errors, so I opted to
> > LOG_GUEST_ERROR and silently ignore the invalid operations.
> >
> > Patch 3 tidies up the existing code to use a constant defined
> > in patch 2; I put it last so we can cc the first two patches
> > to stable without having to also backport that patch.
>
> See also the other smc91c111 fuzzer fix patch:
> https://patchew.org/QEMU/20250228191652.1957208-1-peter.maydell@linaro.org/
>
> (if I need to do a v2 of this series I'll put that one in too)
next prev parent reply other threads:[~2025-03-07 10:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 17:47 [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows Peter Maydell
2025-02-28 17:47 ` [PATCH 1/3] hw/net/smc91c111: Sanitize packet numbers Peter Maydell
2025-03-09 18:52 ` Philippe Mathieu-Daudé
2025-02-28 17:48 ` [PATCH 2/3] hw/net/smc91c111: Sanitize packet length on tx Peter Maydell
2025-03-09 19:01 ` Philippe Mathieu-Daudé
2025-03-10 11:06 ` Peter Maydell
2025-03-11 8:20 ` Philippe Mathieu-Daudé
2025-02-28 17:48 ` [PATCH 3/3] hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers Peter Maydell
2025-03-09 19:01 ` Philippe Mathieu-Daudé
2025-02-28 19:22 ` [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows Peter Maydell
2025-03-07 10:40 ` Peter Maydell [this message]
2025-03-11 8:59 ` Philippe Mathieu-Daudé
2025-03-11 9:08 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA8+oA6jJPrN_o3VDbSETyZugsFrRZH7uUSP9i6KdQE3vQ@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=jasowang@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).