From nobody Tue Apr 7 21:45:29 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1773241971; cv=none; d=zohomail.com; s=zohoarc; b=EQ10FJPeIXqQU9mrx0wUpZNyjQsWemWZqg54OqLfBAUxxNN8RXDTKBbq3iTKEYJskpsMPrCpiXBTmIYM1xUYrX58W+TX+wNQvDKswASqHUNSDjt9EQPIupJZ96EFcQcRbh4Qea8Y7wo6h4Hr8ugIjLG5mjtVG9w+tRyG05G6nwg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773241971; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=A/ycMNBqI1ojSrn7ymkU9F9HGi2dK81QQ3XaM9GZwmw=; b=XOC4X+1OwrFP1f/dlOwyl7Gs0XqwVIA/oEijeX5CJYnPGYDSIReqkQ/BX/opkhhFNdHKBl4aefp+uhsVND5VpG9Oc059sEUZLucmdtpXnlyjmICX5OlJVRxpQCTq67P0rTv7qx3x0MMO1Fxi23wy5HM4enKWoQtH9zlmSzd+F/I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773241971643761.9910687111562; Wed, 11 Mar 2026 08:12:51 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w0LAT-0005bQ-2j; Wed, 11 Mar 2026 11:08:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0L7B-00085h-BK; Wed, 11 Mar 2026 11:04:53 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0L77-0004JC-MV; Wed, 11 Mar 2026 11:04:48 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 79377191E5B; Wed, 11 Mar 2026 18:01:45 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 6665E37C2AD; Wed, 11 Mar 2026 18:02:23 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602; t=1773241305; bh=AUUDO7q3YbgWrK2s3KDfeGNU5tgRA6Ni7c41Dyf/AfE=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=iTdz+qnTh6UR//fx/a55i5siaFJ7U6KgnzejzV8nOGeCJr0LKXKC7nZYG0yRvnj1f vRgzHlg5EE0RwuUmYzEggX04nuxDTX1wBm74PshdMlEmqT5K4vzxqjq6NBKFwZqsjb 8T7+eKw5kx6+LOaRz5hNiEz0jKn4hjoF9xBff+u76TrQDVXcB1LQBDE88Srdvjjugj YDP+kyu35xyXs/5cJuZ8nbYWn3k07tXTssgeZx77jymv03gxUkLEFDPpfFA32g3d3w ZJCaCIY0d3dtQfNpn/CiUs13sv7+YATjQJYs9oG0Jif7vD8NNohHsUjS4w5vOY2lV0 KzeLpXV7q4QJg== From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.9 29/44] hw/net/smc91c111: Don't allow negative-length packets Date: Wed, 11 Mar 2026 18:02:01 +0300 Message-ID: <20260311150221.1084186-29-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -2 X-Spam_score: -0.3 X-Spam_bar: / X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @tls.msk.ru) X-ZM-MESSAGEID: 1773241973358154100 From: Peter Maydell The smc91c111 data frame format in memory (figure 8-1 in the datasheet) includes a "byte count" field which is intended to be the total size of the data frame, including not just the packet data but also the leading and trailing information like the status word and the byte count field itself. It is therefore possible for the guest to set this to a value so small that the leading and trailing fields won't fit and the packet has effectively a negative area. We weren't checking for this, with the result that when we subtract 6 from the length to get the length of the packet proper we end up with a negative length, which is then inconsistently handled in the qemu_send_packet() code such that we can try to transmit a very large amount of data and read off the end of the device's data array. Treat excessively small length values the same way we do excessively large values. As with the oversized case, the datasheet does not describe what happens for this software error case, and there is no relevant tx error condition for this, so we just log and drop the packet. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 20260226175549.1319476-1-peter.maydell@linaro.org (cherry picked from commit d8e19f8042dcaff8e077292209c8196acb150bdd) Signed-off-by: Michael Tokarev diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index 9ce42b5615..751e9e6f97 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -30,6 +30,12 @@ * LAN91C111 datasheet). */ #define MAX_PACKET_SIZE 2048 +/* + * Size of the non-data fields in a data frame: status word, + * byte count, control byte, and last data byte; this defines + * the smallest value the byte count in the frame can validly be. + */ +#define MIN_PACKET_SIZE 6 =20 #define TYPE_SMC91C111 "smc91c111" OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111) @@ -289,7 +295,7 @@ static void smc91c111_do_tx(smc91c111_state *s) *(p++) =3D 0x40; len =3D *(p++); len |=3D ((int)*(p++)) << 8; - if (len > MAX_PACKET_SIZE) { + if (len < MIN_PACKET_SIZE || len > MAX_PACKET_SIZE) { /* * Datasheet doesn't say what to do here, and there is no * relevant tx error condition listed. Log, and drop the packe= t. @@ -300,7 +306,13 @@ static void smc91c111_do_tx(smc91c111_state *s) smc91c111_complete_tx_packet(s, packetnum); continue; } - len -=3D 6; + /* + * Convert from size of the data frame to number of bytes of + * actual packet data. Whether the "last data byte" field is + * included in the packet depends on the ODD bit in the control + * byte at the end of the frame. + */ + len -=3D MIN_PACKET_SIZE; control =3D p[len + 1]; if (control & 0x20) len++; --=20 2.47.3