From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>,
qemu-arm@nongnu.org, qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jason Wang <jasowang@redhat.com>
Subject: Re: [PATCH 2/3] hw/net/smc91c111: Sanitize packet length on tx
Date: Sun, 9 Mar 2025 20:01:04 +0100 [thread overview]
Message-ID: <f4262519-017d-4ed7-8c17-5d4d72a219a6@linaro.org> (raw)
In-Reply-To: <20250228174802.1945417-3-peter.maydell@linaro.org>
Hi Peter,
On 28/2/25 18:48, Peter Maydell wrote:
> When the smc91c111 transmits a packet, it must read a control byte
> which is at the end of the data area and CRC. However, we don't
> sanitize the length field in the packet buffer, so if the guest sets
> the length field to something large we will try to read past the end
> of the packet data buffer when we access the control byte.
>
> As usual, the datasheet says nothing about the behaviour of the
> hardware if the guest misprograms it in this way. It says only that
> the maximum valid length is 2048 bytes. We choose to log the guest
> error and silently drop the packet.
>
> This requires us to factor out the "mark the tx packet as complete"
> logic, so we can call it for this "drop packet" case as well as at
> the end of the loop when we send a valid packet.
>
> Cc: qemu-stable@nongnu.org
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2742
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> hw/net/smc91c111.c | 34 +++++++++++++++++++++++++++++-----
> 1 file changed, 29 insertions(+), 5 deletions(-)
>
> diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
> index 2295c6acf25..23ca99f926a 100644
> --- a/hw/net/smc91c111.c
> +++ b/hw/net/smc91c111.c
> @@ -22,6 +22,13 @@
>
> /* Number of 2k memory pages available. */
> #define NUM_PACKETS 4
> +/*
> + * Maximum size of a data frame, including the leading status word
> + * and byte count fields and the trailing CRC, last data byte
> + * and control byte (per figure 8-1 in the Microchip Technology
If control byte is included, ...
> + * LAN91C111 datasheet).
> + */
> +#define MAX_PACKET_SIZE 2048
>
> #define TYPE_SMC91C111 "smc91c111"
> OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111)
> @@ -240,6 +247,16 @@ static void smc91c111_release_packet(smc91c111_state *s, int packet)
> smc91c111_flush_queued_packets(s);
> }
>
> +static void smc91c111_complete_tx_packet(smc91c111_state *s, int packetnum)
> +{
> + if (s->ctr & CTR_AUTO_RELEASE) {
> + /* Race? */
> + smc91c111_release_packet(s, packetnum);
> + } else if (s->tx_fifo_done_len < NUM_PACKETS) {
> + s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum;
> + }
> +}
> +
> /* Flush the TX FIFO. */
> static void smc91c111_do_tx(smc91c111_state *s)
> {
> @@ -263,6 +280,17 @@ static void smc91c111_do_tx(smc91c111_state *s)
> *(p++) = 0x40;
> len = *(p++);
> len |= ((int)*(p++)) << 8;
> + if (len >= MAX_PACKET_SIZE) {
isn't MAX_PACKET_SIZE valid? I'm not sure at all but I'd expect:
if (len > MAX_PACKET_SIZE) {
> + /*
> + * Datasheet doesn't say what to do here, and there is no
> + * relevant tx error condition listed. Log, and drop the packet.
> + */
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "smc91c111: tx packet with bad length %d, dropping\n",
> + len);
> + smc91c111_complete_tx_packet(s, packetnum);
> + continue;
> + }
> len -= 6;
> control = p[len + 1];
> if (control & 0x20)
> @@ -291,11 +319,7 @@ static void smc91c111_do_tx(smc91c111_state *s)
> }
> }
> #endif
> - if (s->ctr & CTR_AUTO_RELEASE)
> - /* Race? */
> - smc91c111_release_packet(s, packetnum);
> - else if (s->tx_fifo_done_len < NUM_PACKETS)
> - s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum;
> + smc91c111_complete_tx_packet(s, packetnum);
> qemu_send_packet(qemu_get_queue(s->nic), p, len);
> }
> s->tx_fifo_len = 0;
next prev parent reply other threads:[~2025-03-09 19:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 17:47 [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows Peter Maydell
2025-02-28 17:47 ` [PATCH 1/3] hw/net/smc91c111: Sanitize packet numbers Peter Maydell
2025-03-09 18:52 ` Philippe Mathieu-Daudé
2025-02-28 17:48 ` [PATCH 2/3] hw/net/smc91c111: Sanitize packet length on tx Peter Maydell
2025-03-09 19:01 ` Philippe Mathieu-Daudé [this message]
2025-03-10 11:06 ` Peter Maydell
2025-03-11 8:20 ` Philippe Mathieu-Daudé
2025-02-28 17:48 ` [PATCH 3/3] hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers Peter Maydell
2025-03-09 19:01 ` Philippe Mathieu-Daudé
2025-02-28 19:22 ` [PATCH 0/3] hw/net/smc91c111: Fix potential array overflows Peter Maydell
2025-03-07 10:40 ` Peter Maydell
2025-03-11 8:59 ` Philippe Mathieu-Daudé
2025-03-11 9:08 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4262519-017d-4ed7-8c17-5d4d72a219a6@linaro.org \
--to=philmd@linaro.org \
--cc=jasowang@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).