From nobody Tue Feb 10 21:40:07 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1597832302; cv=none; d=zohomail.com; s=zohoarc; b=I/Osuc9TqEymkh/ZkfgB7RS7wAvFuxgaDg47e2h/QDLUxWskgpVGt7uuLsiyRCpA3dTXe3RDxezrfSBsNzh39fOWuyS/CooFrz+1zomo0s07IILIYGss3TNzH+/NnadRxQHKUGDfC+lpt8jW9wFLnasfEcaJRkn5cjYlvAXcOMI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1597832302; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=QbWQGeIQ22rjLCm9CJNFmeFHHPcEOmyUpBfDTUL/RAg=; b=afZQkj6htW5sk99YfiAi9waAN7HNXL0q3QoabaZX/CPQbafB0Iv5z+XdU2LbTaB4ClcKOrE1Qik2pbQp1Q+sIpDNiFdTcAp5OVrtnF94gOhpFuNoF38SN2NyI3cecqG96e8FkLcLoWn29Q4+SY+8HeSJ3iYR0I3H5+P2UtjTD4o= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 15978323025581016.4772995142177; Wed, 19 Aug 2020 03:18:22 -0700 (PDT) Received: from localhost ([::1]:35190 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8LAj-0001KV-0u for importer@patchew.org; Wed, 19 Aug 2020 06:18:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56278) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8L2y-0001Tb-Lq; Wed, 19 Aug 2020 06:10:20 -0400 Received: from smtpout1.mo804.mail-out.ovh.net ([79.137.123.220]:54787) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8L2t-0006ZA-So; Wed, 19 Aug 2020 06:10:20 -0400 Received: from mxplan5.mail.ovh.net (unknown [10.109.156.35]) by mo804.mail-out.ovh.net (Postfix) with ESMTPS id 20B215892853; Wed, 19 Aug 2020 12:10:09 +0200 (CEST) Received: from kaod.org (37.59.142.101) by DAG4EX1.mxp5.local (172.16.2.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 19 Aug 2020 12:10:08 +0200 Authentication-Results: garm.ovh; auth=pass (GARM-101G004de7e645e-35f4-4ee8-b522-7c0a577c96e5, 56ABA3BD09B5898CED80C8E013D4E39E9C6048D1) smtp.auth=clg@kaod.org From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= To: Peter Maydell Subject: [PATCH v2 14/21] ftgmac100: Fix integer overflow in ftgmac100_do_tx() Date: Wed, 19 Aug 2020 12:09:49 +0200 Message-ID: <20200819100956.2216690-15-clg@kaod.org> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200819100956.2216690-1-clg@kaod.org> References: <20200819100956.2216690-1-clg@kaod.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Originating-IP: [37.59.142.101] X-ClientProxiedBy: DAG1EX1.mxp5.local (172.16.2.1) To DAG4EX1.mxp5.local (172.16.2.31) X-Ovh-Tracer-GUID: f73ff509-cf94-4ea7-aba5-56da50eb8178 X-Ovh-Tracer-Id: 18050427308102028079 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedruddtkedgvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvufffkffojghfgggtgfhisehtkeertdertdejnecuhfhrohhmpeevrogurhhitgcunfgvucfiohgrthgvrhcuoegtlhhgsehkrghougdrohhrgheqnecuggftrfgrthhtvghrnhepheehfeegjeeitdfffeetjeduveejueefuefgtdefueelueetveeliefhhffgtdelnecukfhppedtrddtrddtrddtpdefjedrheelrddugedvrddutddunecuvehluhhsthgvrhfuihiivgepheenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepmhigphhlrghnhedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpegtlhhgsehkrghougdrohhrghdprhgtphhtthhopegtlhhgsehkrghougdrohhrgh Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=79.137.123.220; envelope-from=clg@kaod.org; helo=smtpout1.mo804.mail-out.ovh.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 06:10:01 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mauro Matteo Cascella , Frederic Konrad , Andrew Jeffery , qemu-devel@nongnu.org, qemu-arm@nongnu.org, =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= , Ziming Zhang , Joel Stanley Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" When inserting the VLAN tag in packets, memmove() can generate an integer overflow for packets whose length is less than 12 bytes. Move the VLAN insertion when the last segment of the frame is reached and check length against the size of the ethernet header (14 bytes) to avoid the crash. Return FTGMAC100_INT_XPKT_LOST status if the frame is too small. This seems like a good modeling choice even if Aspeed does not specify anything in that case. Cc: Frederic Konrad Cc: Mauro Matteo Cascella Reported-by: Ziming Zhang Signed-off-by: C=C3=A9dric Le Goater --- hw/net/ftgmac100.c | 55 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c index 280aa3d3a1e2..7c9fa720df03 100644 --- a/hw/net/ftgmac100.c +++ b/hw/net/ftgmac100.c @@ -481,6 +481,37 @@ static int ftgmac100_write_bd(FTGMAC100Desc *bd, dma_a= ddr_t addr) return 0; } =20 +static int ftgmac100_insert_vlan(FTGMAC100State *s, int frame_size, + uint8_t vlan_tci) +{ + uint8_t *vlan_hdr =3D s->frame + (ETH_ALEN * 2); + uint8_t *payload =3D vlan_hdr + sizeof(struct vlan_header); + + if (frame_size < sizeof(struct eth_header)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: frame too small for VLAN insertion : %d bytes\n= ", + __func__, frame_size); + s->isr |=3D FTGMAC100_INT_XPKT_LOST; + goto out; + } + + if (frame_size + sizeof(struct vlan_header) > sizeof(s->frame)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: frame too big : %d bytes\n", + __func__, frame_size); + s->isr |=3D FTGMAC100_INT_XPKT_LOST; + frame_size -=3D sizeof(struct vlan_header); + } + + memmove(payload, vlan_hdr, frame_size - (ETH_ALEN * 2)); + stw_be_p(vlan_hdr, ETH_P_VLAN); + stw_be_p(vlan_hdr + 2, vlan_tci); + frame_size +=3D sizeof(struct vlan_header); + +out: + return frame_size; +} + static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring, uint32_t tx_descriptor) { @@ -530,25 +561,17 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32= _t tx_ring, break; } =20 - /* Check for VLAN */ - if (bd.des0 & FTGMAC100_TXDES0_FTS && - bd.des1 & FTGMAC100_TXDES1_INS_VLANTAG && - be16_to_cpu(PKT_GET_ETH_HDR(ptr)->h_proto) !=3D ETH_P_VLAN) { - if (frame_size + len + 4 > sizeof(s->frame)) { - qemu_log_mask(LOG_GUEST_ERROR, "%s: frame too big : %d byt= es\n", - __func__, len); - s->isr |=3D FTGMAC100_INT_XPKT_LOST; - len =3D sizeof(s->frame) - frame_size - 4; - } - memmove(ptr + 16, ptr + 12, len - 12); - stw_be_p(ptr + 12, ETH_P_VLAN); - stw_be_p(ptr + 14, bd.des1); - len +=3D 4; - } - ptr +=3D len; frame_size +=3D len; if (bd.des0 & FTGMAC100_TXDES0_LTS) { + + /* Check for VLAN */ + if (flags & FTGMAC100_TXDES1_INS_VLANTAG && + be16_to_cpu(PKT_GET_ETH_HDR(s->frame)->h_proto) !=3D ETH_P= _VLAN) { + frame_size =3D ftgmac100_insert_vlan(s, frame_size, + FTGMAC100_TXDES1_VLANTAG_CI(fl= ags)); + } + if (flags & FTGMAC100_TXDES1_IP_CHKSUM) { net_checksum_calculate(s->frame, frame_size); } --=20 2.25.4