From nobody Tue Apr  7 21:27:35 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257940; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ji2R0c//7vRZSuYl8M6Fs8s7mHUcyVPNrv2qC6Y1q8HFkkYldM1jvnsjUYoCsu/oBBwgtkYrRXcJeR4LFCwA9mMiUo1CHG20qR396R725ZJBGKX8Ub+3/UE96q0nIvJcj6baRuiUyVJ9GO2Jsws9q/1nE9Qk9ScfUFN4EJnosEg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257940;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=784p8Gh6cMhyXfqclR4YGQTlqlF1I4L+UWj90B/PoWo=;
	b=Dvt4Q3KWGiDwjpPF1NBT+4ziLIjnb61BMbXKrsjLUyWCoyY+1L+DYL2V0hJHWD1xL4SKMaOKVsjj5Y9kWufWhg6R8q4GsbPA1jIaKFtM4FX1hqZEZjhqcOi+uN1zHh4fHB0EnegwILiwoKmSHP+OlizsYCMKsoGS0ODK8J/pSy0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257940513568.9362770109184;
 Wed, 11 Mar 2026 12:39:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POS-0007Eg-Pu; Wed, 11 Mar 2026 15:38:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POP-0006yp-Rh; Wed, 11 Mar 2026 15:38:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PON-0000fh-UQ; Wed, 11 Mar 2026 15:38:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C9340192114;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1293837C479;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=slms1divFDsxSmCDxss9KVlZwsvzMKP08cih3QUixto=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vXj9cgkdAyT4+TbYvd+RHZcAr7zJ42T7Aexc0HI2sP/3QLU5/32d64v5EzLYMQM6L
 rMpD0L0Ptp425xsVBcmMW0Vn3fT/X8YoHw/3rirtL1KlSuQd0hkU3d2xbUD40G9uh2
 dpYVz9dUJENmJRgu5IrTl1T9SsHbwoMaYN6HSTZAQj6YID4n87ag4BtfQEQPQn2A79
 UG6mx9Pxiqh96cXLP573CDKExnIte/v+0xKRp1zSY7QA+Nwj+ZXUanCmORPNfZFJmm
 cOjSf7SN9+8rVU0d71ZLKGRXXJGZKlyeRmRnWOg4kPpLVGHW0nUjawBFCA0zQXTmqa
 VQmZIQwxknOYA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Alistair Francis <alistair.francis@wdc.com>,
 "Edgar E. Iglesias" <edgar.iglesias@amd.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 44/53] hw/net/xilinx_ethlite: Check for oversized TX
 packets
Date: Wed, 11 Mar 2026 22:34:37 +0300
Message-ID: <20260311193449.1096110-44-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257942810154100

From: Peter Maydell <peter.maydell@linaro.org>

The xilinx_ethlite network device wasn't checking that the TX packet
size set by the guest was within the size of its dual port RAM, with
the effect that the guest could get it to read off the end of the RAM
block.

Check the length.  There is no provision in this very simple device
for reporting errors, so as with various RX errors we just report via
tracepoint.

This lack of length check has been present since the device was first
introduced, though the code implementing the tx path has changed
somewhat since then.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3317
Fixes: b43848a1005ce ("xilinx: Add ethlite emulation")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-ID: <20260303172718.437015-1-peter.maydell@linaro.org>
[PMD: renamed size -> tx_size to avoid shadow=3Dcompatible-local error]
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 6595a8d5d17ea1716ddafb34455ec2b29381e232)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/trace-events b/hw/net/trace-events
index 23efa91d05..001a20b0e2 100644
--- a/hw/net/trace-events
+++ b/hw/net/trace-events
@@ -527,3 +527,4 @@ xen_netdev_rx(int dev, int idx, int status, int flags) =
"vif%u idx %d status %d f
 # xilinx_ethlite.c
 ethlite_pkt_lost(uint32_t rx_ctrl) "rx_ctrl:0x%" PRIx32
 ethlite_pkt_size_too_big(uint64_t size) "size:0x%" PRIx64
+ethlite_pkt_tx_size_too_big(uint64_t size) "size:0x%" PRIx64
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 42b19d07c7..665def8a34 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -162,9 +162,15 @@ static void port_tx_write(void *opaque, hwaddr addr, u=
int64_t value,
         break;
     case TX_CTRL:
         if ((value & (CTRL_P | CTRL_S)) =3D=3D CTRL_S) {
-            qemu_send_packet(qemu_get_queue(s->nic),
-                             txbuf_ptr(s, port_index),
-                             s->port[port_index].reg.tx_len);
+            uint32_t tx_size =3D s->port[port_index].reg.tx_len;
+
+            if (tx_size >=3D BUFSZ_MAX) {
+                trace_ethlite_pkt_tx_size_too_big(tx_size);
+            } else {
+                qemu_send_packet(qemu_get_queue(s->nic),
+                                 txbuf_ptr(s, port_index),
+                                 tx_size);
+            }
             if (s->port[port_index].reg.tx_ctrl & CTRL_I) {
                 eth_pulse_irq(s);
             }
--=20
2.47.3