From: Peter Maydell <peter.maydell@linaro.org>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Azure Yang <azureyang@tencent.com>,
Jason Wang <jasowang@redhat.com>, qemu-arm <qemu-arm@nongnu.org>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [Qemu-arm] [PATCH] net: smc91c111: check packet number and data register index
Date: Tue, 25 Oct 2016 14:35:13 +0100 [thread overview]
Message-ID: <CAFEAcA-UT0Xj9YyyHzbO=69HDwVkOYeqPo7K9S+Ja0U7E4KZFg@mail.gmail.com> (raw)
In-Reply-To: <1477398120-9000-1-git-send-email-ppandit@redhat.com>
On 25 October 2016 at 13:22, P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> SMSC91C111 Ethernet interface emulator has registers to store
> 'packet number' and a 'pointer' to Tx/Rx FIFO buffer area.
> These two are used to derive an address to access into 'data'
> registers. If they are not set correctly, they could lead to
> OOB r/w access beyond packet 'data' area. Add check to avoid it.
>
> Reported-by: Azure Yang <azureyang@tencent.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/smc91c111.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
> index 3b16dcf..2425da1 100644
> --- a/hw/net/smc91c111.c
> +++ b/hw/net/smc91c111.c
> @@ -418,7 +418,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
> /* Ignore. */
> return;
> case 2: /* Packet Number Register */
> - s->packet_num = value;
> + s->packet_num = value & (NUM_PACKETS - 1);
This is inconsistent with how we handle out of range
packet numbers read from the rx_fifo[] in the read/write code
below. Here we are effectively masking to squash the value
into range, but below we will ignore a write or read as 0x80
if there is an out of value packet number. Unfortunately the
data sheet doesn't say how bad packet numbers are handled,
but we should probably try for consistency.
The data sheet says that there are 6 valid bits in the
packet number register, not 3, which suggests masking to
NUM_PACKETS-1 here isn't the right thing.
Q: what about attempts to use packet numbers that have not
been allocated by the 91c111's MMU ?
> return;
> case 3: case 4: case 5:
> /* Should be readonly, but linux writes to them anyway. Ignore. */
> @@ -444,7 +444,10 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
> } else {
> p += (offset & 3);
> }
> - s->data[n][p] = value;
> + if (n < NUM_PACKETS
> + && p < sizeof(s->data[n]) / sizeof(s->data[n][0])) {
> + s->data[n][p] = value;
> + }
> }
> return;
> case 12: /* Interrupt ACK. */
> @@ -590,7 +593,12 @@ static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
> } else {
> p += (offset & 3);
> }
> - return s->data[n][p];
> +
> + if (n < NUM_PACKETS
> + && p < sizeof(s->data[n]) / sizeof(s->data[n][0])) {
This looks like it's reinventing ARRAY_SIZE(s->data[n]).
In any case, rather than doing this check on p I would
suggest that we should do:
p = s->ptr;
if (s->ptr & 0x4000) {
s->ptr = (s->ptr & 0xf800) | ((s->ptr + 1) & 0x7ff);
} else {
p += (offset & 3);
}
p &= 0x7ff;
(ie move the mask operation down a bit), which will ensure p is
always within bounds. Ditto in read code. Perhaps it would be
better to factor out the "find the address in the data buffer"
code since it's fairly long and duplicated between read and write
paths.
> + return s->data[n][p];
> + }
> + return 0x80;
Why 0x80 ?
> }
> case 12: /* Interrupt status. */
> return s->int_level;
There's also an access to s->data[] in smc91c111_do_tx() which needs
some kind of guard.
smc91c111_release_packet() also assumes the packet number it
is passed is sane.
Do we need to guard against bad packet numbers in incoming
VMState data? The answer is no if we're using the "always
check packet_num at point of use" approach, but yes if you're
trying to ensure s->packet_num is always a valid value.
Do we need to sanitize s->allocated in incoming vmstate data?
thanks
-- PMM
next prev parent reply other threads:[~2016-10-25 13:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-25 12:22 [Qemu-devel] [PATCH] net: smc91c111: check packet number and data register index P J P
2016-10-25 13:35 ` Peter Maydell [this message]
2016-10-26 12:33 ` [Qemu-devel] [Qemu-arm] " P J P
2016-10-26 13:34 ` Peter Maydell
2016-10-26 20:05 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFEAcA-UT0Xj9YyyHzbO=69HDwVkOYeqPo7K9S+Ja0U7E4KZFg@mail.gmail.com' \
--to=peter.maydell@linaro.org \
--cc=azureyang@tencent.com \
--cc=jasowang@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.