Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100

qemu-arm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_d

From:	Mauro Matteo Cascella
Subject:	Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx()
Date:	Tue, 11 Aug 2020 14:20:00 +0200

On Mon, Aug 10, 2020 at 7:14 PM Cédric Le Goater <clg@kaod.org> wrote:
>
> On 8/10/20 3:43 PM, Mauro Matteo Cascella wrote:
> > On Thu, Aug 6, 2020 at 3:21 PM Cédric Le Goater <clg@kaod.org> wrote:
> >>
> >> When inserting the VLAN tag in packets, memmove() can generate an
> >> integer overflow for packets whose length is less than 12 bytes.
> >>
> >> Check length against the size of the ethernet header (14 bytes) to
> >> avoid the crash and return FTGMAC100_INT_XPKT_LOST status. This seems
> >> like a good modeling choice even if Aspeed does not specify anything
> >> in that case.
> >>
> >> Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
> >> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> >> Reported-by: Ziming Zhang <ezrakiez@gmail.com>
> >> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> >> ---
> >>  hw/net/ftgmac100.c | 19 +++++++++++++++----
> >>  1 file changed, 15 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
> >> index 280aa3d3a1e2..987b843fabc4 100644
> >> --- a/hw/net/ftgmac100.c
> >> +++ b/hw/net/ftgmac100.c
> >> @@ -540,10 +540,21 @@ static void ftgmac100_do_tx(FTGMAC100State *s, 
> >> uint32_t tx_ring,
> >>                  s->isr |= FTGMAC100_INT_XPKT_LOST;
> >>                  len =  sizeof(s->frame) - frame_size - 4;
> >>              }
> >> -            memmove(ptr + 16, ptr + 12, len - 12);
> >> -            stw_be_p(ptr + 12, ETH_P_VLAN);
> >> -            stw_be_p(ptr + 14, bd.des1);
> >> -            len += 4;
> >> +
> >> +            if (len < sizeof(struct eth_header)) {
> >> +                qemu_log_mask(LOG_GUEST_ERROR,
> >> +                         "%s: frame too small for VLAN insertion : %d 
> >> bytes\n",
> >> +                         __func__, len);
> >> +                s->isr |= FTGMAC100_INT_XPKT_LOST;
> >> +            } else {
> >> +                uint8_t *vlan_hdr = ptr + (ETH_ALEN * 2);
> >> +                uint8_t *payload = vlan_hdr + sizeof(struct vlan_header);
> >> +
> >> +                memmove(payload, vlan_hdr, len - (ETH_ALEN * 2));
> >> +                stw_be_p(vlan_hdr, ETH_P_VLAN);
> >> +                stw_be_p(vlan_hdr + 2, 
> >> FTGMAC100_TXDES1_VLANTAG_CI(bd.des1));
> >> +                len += sizeof(struct vlan_header);
> >> +            }
> >>          }
> >>
> >>          ptr += len;
> >> --
> >> 2.25.4
> >>
> >
> > I can confirm that I can't reproduce the issue with the above patch. Thank 
> > you.
> >
>
> Can I count that as a Tested-by ?
>
> Thanks,
>
> C.
>
>

Sure. I wonder whether we should make 'len' unsigned, though I think
it doesn't really matter due to FTGMAC100_TXDES0_TXBUF_SIZE. What do
you think?

Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>


--
Mauro Matteo Cascella, Red Hat Product Security
6F78 E20B 5935 928C F0A8  1A9D 4E55 23B8 BB34 10B0

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH for-5.2 13/19] ftgmac100: Check for invalid len and address before doing a DMA transfer, (continued)
- [PATCH for-5.2 19/19] aspeed/smc: Open AHB window of the second chip of the AST2600 FMC controller, Cédric Le Goater, 2020/08/06
  - Re: [PATCH for-5.2 19/19] aspeed/smc: Open AHB window of the second chip of the AST2600 FMC controller, Joel Stanley, 2020/08/06
- [PATCH for-5.2 09/19] ftgmac100: Fix registers that can be read, Cédric Le Goater, 2020/08/06
  - Re: [PATCH for-5.2 09/19] ftgmac100: Fix registers that can be read, Philippe Mathieu-Daudé, 2020/08/06
  - Re: [PATCH for-5.2 09/19] ftgmac100: Fix registers that can be read, Joel Stanley, 2020/08/06
- [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Cédric Le Goater, 2020/08/06
  - Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Joel Stanley, 2020/08/06
  - Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Mauro Matteo Cascella, 2020/08/10
    - Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Cédric Le Goater, 2020/08/10
    - Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Mauro Matteo Cascella <=
  - Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Peter Maydell, 2020/08/11
    - Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Cédric Le Goater, 2020/08/18
- [PATCH for-5.2 11/19] ftgmac100: Fix interrupt status "Packet moved to RX FIFO", Cédric Le Goater, 2020/08/06
  - Re: [PATCH for-5.2 11/19] ftgmac100: Fix interrupt status "Packet moved to RX FIFO", Joel Stanley, 2020/08/06
- [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Cédric Le Goater, 2020/08/06
  - Re: [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Philippe Mathieu-Daudé, 2020/08/06
  - Re: [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Joel Stanley, 2020/08/06
    - Re: [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Cédric Le Goater, 2020/08/07
- [PATCH for-5.2 18/19] aspeed/sdmc: Simplify calculation of RAM bits, Cédric Le Goater, 2020/08/06
  - Re: [PATCH for-5.2 18/19] aspeed/sdmc: Simplify calculation of RAM bits, Joel Stanley, 2020/08/06

Prev by Date: Re: [RFC PATCH v3 8/8] target/s390x: Use start-powered-off CPUState property
Next by Date: Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx()
Previous by thread: Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx()
Next by thread: Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx()
Index(es):
- Date
- Thread