From nobody Tue Apr  7 21:48:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241941; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KZQlZzORicJMDfcPSLAzHSvhmoF/tf5JdneSclSJxezUvJkbPWTJlId7CDvDe/EGplMj4Y7MBd16dqgKPBKpQh8HDWvDvAl9ELJDiinC7n7LaftkzPsgoLj3EK2yQYXHYnfiK34pqrv6r8QVxPts8AK1dZai/7oBsjaDjQxvAOw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241941;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nct+7OfPcXN2BM4KhCn2qnjuPJ6uO+rZJGN104Djg5I=;
	b=YhhjKQBglO/amvKZn5cldpEL0Wpvh2WsUhr+XkgEOVbbbgoEUpQCaYfwWf5NadnwlIph17x8nh1mdC+aPVyME3WtsT9o+XFKtAs9CxzKJyt9RPcTlgSE0OJ7zlsIjFkjJmTvP9dJ4QcR9ltwV1htsR3fn5IISoOiyP5f1ZRAao0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177324194121874.95772593327194;
 Wed, 11 Mar 2026 08:12:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAR-0005FZ-5B; Wed, 11 Mar 2026 11:08:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8F-00027p-Pi; Wed, 11 Mar 2026 11:05:55 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L89-0004gr-9i; Wed, 11 Mar 2026 11:05:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0B878191E63;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id EACB137C2B5;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=CI6sjz8BUnkol5NPtEPnjU388I519lcydZCmaSFzMPI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=tdePONr2Q64EwLRFi6y27F8VvbGEgVBsJnww+/yT7KA+Dqfs2gehg/FHCSMPAXJwc
 dkJ/dhiaO4gt5gNCv+/N+YWDy0gHC4WyzMzGyfFX5lUG5y8lQ+l5TGZTBXTQTVkk3j
 pE3XpX+XMr3hO/5Of+/lcsX1gJW8RyH8wKfX+YGOVdppOmZDK1WE4/0iWx1ZSkY9Ri
 /c6jQmZjnLmbbZM0tli2Anvx3tDYDb0Iy1GtSdVXAo01uqrYT3q4aSe3lxwvHUjnU6
 /23bWHVzQs6idrhYSIX3+sUBo326W7+nMqEeFr+W+f+7WwIZv/ZU9Sr5+JIt/8hJBv
 Ilvd0gihHohdQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Alistair Francis <alistair.francis@wdc.com>,
 "Edgar E. Iglesias" <edgar.iglesias@amd.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 37/44] hw/net/xilinx_ethlite: Check for oversized TX
 packets
Date: Wed, 11 Mar 2026 18:02:09 +0300
Message-ID: <20260311150221.1084186-37-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241942963158500

From: Peter Maydell <peter.maydell@linaro.org>

The xilinx_ethlite network device wasn't checking that the TX packet
size set by the guest was within the size of its dual port RAM, with
the effect that the guest could get it to read off the end of the RAM
block.

Check the length.  There is no provision in this very simple device
for reporting errors, so as with various RX errors we just report via
tracepoint.

This lack of length check has been present since the device was first
introduced, though the code implementing the tx path has changed
somewhat since then.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3317
Fixes: b43848a1005ce ("xilinx: Add ethlite emulation")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-ID: <20260303172718.437015-1-peter.maydell@linaro.org>
[PMD: renamed size -> tx_size to avoid shadow=3Dcompatible-local error]
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 6595a8d5d17ea1716ddafb34455ec2b29381e232)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/trace-events b/hw/net/trace-events
index 72b69c4a8b..698290fe79 100644
--- a/hw/net/trace-events
+++ b/hw/net/trace-events
@@ -517,3 +517,4 @@ xen_netdev_rx(int dev, int idx, int status, int flags) =
"vif%u idx %d status %d f
 # xilinx_ethlite.c
 ethlite_pkt_lost(uint32_t rx_ctrl) "rx_ctrl:0x%" PRIx32
 ethlite_pkt_size_too_big(uint64_t size) "size:0x%" PRIx64
+ethlite_pkt_tx_size_too_big(uint64_t size) "size:0x%" PRIx64
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 15d9b95aa8..b5a18f6ef7 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -162,9 +162,15 @@ static void port_tx_write(void *opaque, hwaddr addr, u=
int64_t value,
         break;
     case TX_CTRL:
         if ((value & (CTRL_P | CTRL_S)) =3D=3D CTRL_S) {
-            qemu_send_packet(qemu_get_queue(s->nic),
-                             txbuf_ptr(s, port_index),
-                             s->port[port_index].reg.tx_len);
+            uint32_t tx_size =3D s->port[port_index].reg.tx_len;
+
+            if (tx_size >=3D BUFSZ_MAX) {
+                trace_ethlite_pkt_tx_size_too_big(tx_size);
+            } else {
+                qemu_send_packet(qemu_get_queue(s->nic),
+                                 txbuf_ptr(s, port_index),
+                                 tx_size);
+            }
             if (s->port[port_index].reg.tx_ctrl & CTRL_I) {
                 eth_pulse_irq(s);
             }
--=20
2.47.3