From: P J P <ppandit@redhat.com>
To: Stefan Weil <sw@weilnetz.de>
Cc: Jason Wang <jasowang@redhat.com>,
Ruhr-University Bochum <bugs-syssec@rub.de>,
QEMU Developers <qemu-devel@nongnu.org>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: [PATCH] net: eepro100: validate various address values
Date: Thu, 18 Feb 2021 19:36:29 +0530 [thread overview]
Message-ID: <20210218140629.373646-1-ppandit@redhat.com> (raw)
From: Prasad J Pandit <pjp@fedoraproject.org>
While processing controller commands, eepro100 emulator gets
command unit(CU) base address OR receive unit (RU) base address
OR command block (CB) address from guest. If these values are not
checked, it may lead to an infinite loop kind of issues. Add checks
to avoid it.
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/net/eepro100.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index 16e95ef9cc..afa1c9b2aa 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -843,7 +843,8 @@ static void action_command(EEPRO100State *s)
bool bit_i;
bool bit_nc;
uint16_t ok_status = STATUS_OK;
- s->cb_address = s->cu_base + s->cu_offset;
+ s->cb_address = s->cu_base + s->cu_offset; /* uint32_t overflow */
+ assert (s->cb_address >= s->cu_base);
read_cb(s);
bit_el = ((s->tx.command & COMMAND_EL) != 0);
bit_s = ((s->tx.command & COMMAND_S) != 0);
@@ -860,6 +861,7 @@ static void action_command(EEPRO100State *s)
}
s->cu_offset = s->tx.link;
+ assert(s->cu_offset > 0);
TRACE(OTHER,
logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
s->tx.status, s->tx.command, s->tx.link));
@@ -990,8 +992,10 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
break;
case CU_CMD_BASE:
/* Load CU base. */
+ assert(get_cu_state(s) == cu_idle);
TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
s->cu_base = e100_read_reg4(s, SCBPointer);
+ assert(!s->cu_base);
break;
case CU_DUMPSTATS:
/* Dump and reset statistical counters. */
@@ -1048,8 +1052,10 @@ static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
break;
case RX_ADDR_LOAD:
/* Load RU base. */
+ assert(get_ru_state(s) == ru_idle);
TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
s->ru_base = e100_read_reg4(s, SCBPointer);
+ assert(!s->ru_base);
break;
default:
logout("val=0x%02x (undefined RU command)\n", val);
--
2.29.2
next reply other threads:[~2021-02-18 14:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-18 14:06 P J P [this message]
2021-02-18 14:18 ` [PATCH] net: eepro100: validate various address values no-reply
2021-02-18 14:41 ` Peter Maydell
2021-02-18 16:10 ` Stefan Weil
2021-02-19 1:54 ` Alexander Bulekov
2021-02-19 2:06 ` Li Qiang
2021-02-19 2:14 ` Alexander Bulekov
2021-02-19 4:43 ` Li Qiang
2021-02-20 3:05 ` Alexander Bulekov
2021-02-19 6:11 ` P J P
2021-02-19 8:08 ` Stefan Weil
2021-02-19 8:26 ` Stefan Weil
2021-02-19 9:26 ` P J P
2021-02-19 9:52 ` Stefan Weil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210218140629.373646-1-ppandit@redhat.com \
--to=ppandit@redhat.com \
--cc=bugs-syssec@rub.de \
--cc=jasowang@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).