From nobody Tue Apr 7 21:28:21 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1773258123; cv=none; d=zohomail.com; s=zohoarc; b=gk443qFnsFpTYcivP/6d1J6tJM1jQQIiMvGrLhRvPmITi7ZHjgYznbl6OR7w0Z3n9aPufREfoc2/z7+aqregOhjNh+QHad7AC51M1Kfqff1BJ3UaW9myhFnVhTaosjomPZB+CDJcBCQKcmy/zj0Z9/Q0ikzb6zESdtWdExUhHK4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773258123; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=sJiE7uNHEvsiY/+RrRDh4zn3+YLFeKF90Wu94hXJjYg=; b=cT7VN3jJVj/E5o1XyyH4KhBvGPR9QnfNBRbJju5wV8wtiiquhYXPyZxv6ujWCp48bSRJNDQGZrMO5G2cwUupBnoKqbfbP0hh8lifhxAtvV/jmg1PIEsHHveDvwQrytmMcXn77N/QAUEZMtOiUkl3ee/DGZlPWQ29fLMU6/Z/L+g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773258123022584.2209534470772; Wed, 11 Mar 2026 12:42:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w0PNW-0004gc-J8; Wed, 11 Mar 2026 15:37:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0PNV-0004dJ-0t; Wed, 11 Mar 2026 15:37:57 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0PNT-0000V8-30; Wed, 11 Mar 2026 15:37:56 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id D255F19210A; Wed, 11 Mar 2026 22:34:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 1CAD037C46F; Wed, 11 Mar 2026 22:35:07 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602; t=1773257668; bh=h/kUl/xQLmRb/S4svpv2ZTc8FHO1O9r77yc2rDjhLuM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=orJfXSEZCR2n77QfXbVGqi99JCUy/DX6t6pAe1XbTz/sRlEkqDJvPi4JPvi4Chge3 2NGkHm1pVNdcRrQJU5sxxL14zHDpTtbvFn2eNHNwidfIUNPXurUZls0VVYPAIQDGCu 31KSGDrY5CprqHsmef52IQsGKekkdWX3sqENSdEz8Z14WIRX9yeRTsEiGpdD5U+oXl DAr0tRstGcgxFb2JcdC9ZKQXLHPc7aG8Q9UqsDiot/52Rv7VrA/qU24vAQXNL3WL8a nT/xOdiZQNhFZaPfcLGaSXp+/o1F3oClgblWAEZKsaQ4aFwB6n2bb3/dF+GhbbeLni y3NfMstSOrSlQ== From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.2.2 34/53] hw/net/smc91c111: Don't allow negative-length packets Date: Wed, 11 Mar 2026 22:34:27 +0300 Message-ID: <20260311193449.1096110-34-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -2 X-Spam_score: -0.3 X-Spam_bar: / X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @tls.msk.ru) X-ZM-MESSAGEID: 1773258125569154100 From: Peter Maydell The smc91c111 data frame format in memory (figure 8-1 in the datasheet) includes a "byte count" field which is intended to be the total size of the data frame, including not just the packet data but also the leading and trailing information like the status word and the byte count field itself. It is therefore possible for the guest to set this to a value so small that the leading and trailing fields won't fit and the packet has effectively a negative area. We weren't checking for this, with the result that when we subtract 6 from the length to get the length of the packet proper we end up with a negative length, which is then inconsistently handled in the qemu_send_packet() code such that we can try to transmit a very large amount of data and read off the end of the device's data array. Treat excessively small length values the same way we do excessively large values. As with the oversized case, the datasheet does not describe what happens for this software error case, and there is no relevant tx error condition for this, so we just log and drop the packet. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 20260226175549.1319476-1-peter.maydell@linaro.org (cherry picked from commit d8e19f8042dcaff8e077292209c8196acb150bdd) Signed-off-by: Michael Tokarev diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index 5cd78e334b..f2c2e22dd0 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -30,6 +30,12 @@ * LAN91C111 datasheet). */ #define MAX_PACKET_SIZE 2048 +/* + * Size of the non-data fields in a data frame: status word, + * byte count, control byte, and last data byte; this defines + * the smallest value the byte count in the frame can validly be. + */ +#define MIN_PACKET_SIZE 6 =20 #define TYPE_SMC91C111 "smc91c111" OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111) @@ -289,7 +295,7 @@ static void smc91c111_do_tx(smc91c111_state *s) *(p++) =3D 0x40; len =3D *(p++); len |=3D ((int)*(p++)) << 8; - if (len > MAX_PACKET_SIZE) { + if (len < MIN_PACKET_SIZE || len > MAX_PACKET_SIZE) { /* * Datasheet doesn't say what to do here, and there is no * relevant tx error condition listed. Log, and drop the packe= t. @@ -300,7 +306,13 @@ static void smc91c111_do_tx(smc91c111_state *s) smc91c111_complete_tx_packet(s, packetnum); continue; } - len -=3D 6; + /* + * Convert from size of the data frame to number of bytes of + * actual packet data. Whether the "last data byte" field is + * included in the packet depends on the ODD bit in the control + * byte at the end of the frame. + */ + len -=3D MIN_PACKET_SIZE; control =3D p[len + 1]; if (control & 0x20) len++; --=20 2.47.3