qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size
@ 2020-11-20  3:11 alfred gedeon
  2020-11-20  4:08 ` [Bug 1904954] " alfred gedeon
                   ` (9 more replies)
  0 siblings, 10 replies; 11+ messages in thread
From: alfred gedeon @ 2020-11-20  3:11 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

peeked message size is not equal to read message size

Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

s->tx_status_fifo_head should be s->rx_status_fifo_head

Thanks,

Alfred

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: ethernet lan lan9118 netwroking

** Description changed:

- peeked message is not equal to read message
- 
+ peeked message size is not equal to read message size
  
  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
  
  s->tx_status_fifo_head should be s->rx_status_fifo_head
  
  Thanks,
  
  Alfred

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeking receive massage size not equal to received message
  size

Status in QEMU:
  New

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeking receive massage size not equal to received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
@ 2020-11-20  4:08 ` alfred gedeon
  2020-12-23  6:15 ` [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual " alfred gedeon
                   ` (8 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: alfred gedeon @ 2020-11-20  4:08 UTC (permalink / raw)
  To: qemu-devel

** Description changed:

  peeked message size is not equal to read message size
  
  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
  
  s->tx_status_fifo_head should be s->rx_status_fifo_head
  
+ Could also be a security bug, as the user could allocate a buffer of
+ size peeked data smaller than the actual packet received, which could
+ cause a buffer overflow and its attaks.
+ 
  Thanks,
  
  Alfred

** Description changed:

  peeked message size is not equal to read message size
  
  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
  
  s->tx_status_fifo_head should be s->rx_status_fifo_head
  
  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
- cause a buffer overflow and its attaks.
+ cause a buffer overflow.
  
  Thanks,
  
  Alfred

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeking receive massage size not equal to received message
  size

Status in QEMU:
  New

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
  2020-11-20  4:08 ` [Bug 1904954] " alfred gedeon
@ 2020-12-23  6:15 ` alfred gedeon
  2021-01-08 17:27 ` Peter Maydell
                   ` (7 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: alfred gedeon @ 2020-12-23  6:15 UTC (permalink / raw)
  To: qemu-devel

** Summary changed:

- lan9118 bug peeking receive massage size not equal to received message size
+ lan9118 bug peeked received message size not equal to actual received message size

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  New

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
  2020-11-20  4:08 ` [Bug 1904954] " alfred gedeon
  2020-12-23  6:15 ` [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual " alfred gedeon
@ 2021-01-08 17:27 ` Peter Maydell
  2021-01-08 17:30 ` Peter Maydell
                   ` (6 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 17:27 UTC (permalink / raw)
  To: qemu-devel

Do you have a test case that will reproduce this bug ?

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  New

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (2 preceding siblings ...)
  2021-01-08 17:27 ` Peter Maydell
@ 2021-01-08 17:30 ` Peter Maydell
  2021-01-08 18:08 ` Peter Maydell
                   ` (5 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 17:30 UTC (permalink / raw)
  To: qemu-devel

(The line of code you point out is pretty clearly wrong; it would just
be nice to have a test case to confirm that the obvious fix works.)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  New

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (3 preceding siblings ...)
  2021-01-08 17:30 ` Peter Maydell
@ 2021-01-08 18:08 ` Peter Maydell
  2021-01-08 19:06 ` Peter Maydell
                   ` (4 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 18:08 UTC (permalink / raw)
  To: qemu-devel

This patchset should fix this bug:
https://patchew.org/QEMU/20210108180401.2263-1-peter.maydell@linaro.org/

PS: this isn't a security issue because the lan9118 is used only on
board models that can't run under KVM and so it is not on QEMU's
security boundary.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  New

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (4 preceding siblings ...)
  2021-01-08 18:08 ` Peter Maydell
@ 2021-01-08 19:06 ` Peter Maydell
  2021-01-08 23:54 ` alfred gedeon
                   ` (3 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 19:06 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu
       Status: New => In Progress

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  In Progress

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (5 preceding siblings ...)
  2021-01-08 19:06 ` Peter Maydell
@ 2021-01-08 23:54 ` alfred gedeon
  2021-01-15 16:13 ` Peter Maydell
                   ` (2 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: alfred gedeon @ 2021-01-08 23:54 UTC (permalink / raw)
  To: qemu-devel

We do have some code, that is giving different results, between the
peeked and the actual:

https://github.com/FreeRTOS/FreeRTOS-Plus-
TCP/blob/9a25860e761036a9eb780799c9db632e3eff60c9/portable/NetworkInterface/MPS2_AN385/NetworkInterface.c#L237

We also have a fix to circumvent the problem by just reading the actual
size and omit the peeked bytes.

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/pull/142

changing the code i pointed locally worked fine, but we can't expect all
our users to compile qemu from scratch and apply a patch

Alfred

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  In Progress

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (6 preceding siblings ...)
  2021-01-08 23:54 ` alfred gedeon
@ 2021-01-15 16:13 ` Peter Maydell
  2021-04-29 10:45 ` Thomas Huth
  2021-04-30  7:18 ` Thomas Huth
  9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-15 16:13 UTC (permalink / raw)
  To: qemu-devel

Fix now in master: commit e7e29fdbbe07f.


** Changed in: qemu
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  Fix Committed

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (7 preceding siblings ...)
  2021-01-15 16:13 ` Peter Maydell
@ 2021-04-29 10:45 ` Thomas Huth
  2021-04-30  7:18 ` Thomas Huth
  9 siblings, 0 replies; 11+ messages in thread
From: Thomas Huth @ 2021-04-29 10:45 UTC (permalink / raw)
  To: qemu-devel

** Tags removed: netwroking
** Tags added: networking

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  Fix Committed

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
  2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
                   ` (8 preceding siblings ...)
  2021-04-29 10:45 ` Thomas Huth
@ 2021-04-30  7:18 ` Thomas Huth
  9 siblings, 0 replies; 11+ messages in thread
From: Thomas Huth @ 2021-04-30  7:18 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954

Title:
  lan9118 bug peeked received message size not equal to actual received
  message size

Status in QEMU:
  Fix Released

Bug description:
  peeked message size is not equal to read message size

  Bug in the code at line:
  https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

  s->tx_status_fifo_head should be s->rx_status_fifo_head

  Could also be a security bug, as the user could allocate a buffer of
  size peeked data smaller than the actual packet received, which could
  cause a buffer overflow.

  Thanks,

  Alfred

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-04-30  7:30 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-20  3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
2020-11-20  4:08 ` [Bug 1904954] " alfred gedeon
2020-12-23  6:15 ` [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual " alfred gedeon
2021-01-08 17:27 ` Peter Maydell
2021-01-08 17:30 ` Peter Maydell
2021-01-08 18:08 ` Peter Maydell
2021-01-08 19:06 ` Peter Maydell
2021-01-08 23:54 ` alfred gedeon
2021-01-15 16:13 ` Peter Maydell
2021-04-29 10:45 ` Thomas Huth
2021-04-30  7:18 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).