[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] baba73: hw/net/i82596: Correct command bitmas
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] baba73: hw/net/i82596: Correct command bitmask (CID 1419392) |
|
Date: |
Tue, 31 Mar 2020 07:45:14 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: baba731bc6e7920ec2dca7d449b6bf7d42e4901f
https://github.com/qemu/qemu/commit/baba731bc6e7920ec2dca7d449b6bf7d42e4901f
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/i82596.c
Log Message:
-----------
hw/net/i82596: Correct command bitmask (CID 1419392)
The command is 32-bit, but we are loading the 16 upper bits with
the 'get_uint16(s->scb + 2)' call.
Once shifted by 16, the command bits match the status bits:
- Command
Bit 31 ACK-CX Acknowledges that the CU completed an Action Command.
Bit 30 ACK-FR Acknowledges that the RU received a frame.
Bit 29 ACK-CNA Acknowledges that the Command Unit became not active.
Bit 28 ACK-RNR Acknowledges that the Receive Unit became not ready.
- Status
Bit 15 CX The CU finished executing a command with its I(interrupt) bit
set.
Bit 14 FR The RU finished receiving a frame.
Bit 13 CNA The Command Unit left the Active state.
Bit 12 RNR The Receive Unit left the Ready state.
Add the SCB_COMMAND_ACK_MASK definition to simplify the code.
This fixes Coverity 1419392 (CONSTANT_EXPRESSION_RESULT):
/hw/net/i82596.c: 352 in examine_scb()
346 cuc = (command >> 8) & 0x7;
347 ruc = (command >> 4) & 0x7;
348 DBG(printf("MAIN COMMAND %04x cuc %02x ruc %02x\n", command,
cuc, ruc));
349 /* and clear the scb command word */
350 set_uint16(s->scb + 2, 0);
351
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (2147483648UL /* 1UL << 31 */)" is always 0 regardless of
the values of its operands. This occurs as the logical operand of "if".
352 if (command & BIT(31)) /* ACK-CX */
353 s->scb_status &= ~SCB_STATUS_CX;
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (1073741824UL /* 1UL << 30 */)" is always 0 regardless of
the values of its operands. This occurs as the logical operand of "if".
354 if (command & BIT(30)) /*ACK-FR */
355 s->scb_status &= ~SCB_STATUS_FR;
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (536870912UL /* 1UL << 29 */)" is always 0 regardless of
the values of its operands. This occurs as the logical operand of "if".
356 if (command & BIT(29)) /*ACK-CNA */
357 s->scb_status &= ~SCB_STATUS_CNA;
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (268435456UL /* 1UL << 28 */)" is always 0 regardless of
the values of its operands. This occurs as the logical operand of "if".
358 if (command & BIT(28)) /*ACK-RNR */
359 s->scb_status &= ~SCB_STATUS_RNR;
Fixes: Covertiy CID 1419392 (commit 376b851909)
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: a43790f2f6155597e120409f467a3d41de3cfb53
https://github.com/qemu/qemu/commit/a43790f2f6155597e120409f467a3d41de3cfb53
Author: Peter Maydell <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/i82596.c
Log Message:
-----------
hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()
The i82596_receive() function attempts to pass the guest a buffer
which is effectively the concatenation of the data it is passed and a
4 byte CRC value. However, rather than implementing this as "write
the data; then write the CRC" it instead bumps the length value of
the data by 4, and writes 4 extra bytes from beyond the end of the
buffer, which it then overwrites with the CRC. It also assumed that
we could always fit all four bytes of the CRC into the final receive
buffer, which might not be true if the CRC needs to be split over two
receive buffers.
Calculate separately how many bytes we need to transfer into the
guest's receive buffer from the source buffer, and how many we need
to transfer from the CRC work.
We add a count 'bufsz' of the number of bytes left in the source
buffer, which we use purely to assert() that we don't overrun.
Spotted by Coverity (CID 1419396) for the specific case when we end
up using a local array as the source buffer.
Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: f22a57ac09abdd5afd8a974b52c19eda9347cffd
https://github.com/qemu/qemu/commit/f22a57ac09abdd5afd8a974b52c19eda9347cffd
Author: Andrew Melnychenko <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/e1000e.c
Log Message:
-----------
Fixed integer overflow in e1000e
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1737400
Fixed setting max_queue_num if there are no peers in
NICConf. qemu_new_nic() creates NICState with 1 NetClientState(index
0) without peers, set max_queue_num to 0 - It prevents undefined
behavior and possible crashes, especially during pcie hotplug.
Fixes: 6f3fbe4ed06 ("net: Introduce e1000e device emulation")
Signed-off-by: Andrew Melnychenko <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 205ce5670f8ec38693ab945493e4fcc155b25cec
https://github.com/qemu/qemu/commit/205ce5670f8ec38693ab945493e4fcc155b25cec
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/e1000e_core.c
M hw/net/e1000e_core.h
Log Message:
-----------
hw/net/e1000e_core: Let e1000e_can_receive() return a boolean
The e1000e_can_receive() function simply returns a boolean value.
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 0002c3a696b2def7eda13d5fb722e45679959d22
https://github.com/qemu/qemu/commit/0002c3a696b2def7eda13d5fb722e45679959d22
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Let smc91c111_can_receive() return a boolean
The smc91c111_can_receive() function simply returns a boolean value.
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Reviewed-by: Cédric Le Goater <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 2fa3d2d401b95036294361da52e4f3cd0f98155e
https://github.com/qemu/qemu/commit/2fa3d2d401b95036294361da52e4f3cd0f98155e
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
hw/net/rtl8139: Simplify if/else statement
Rewrite:
if (E) {
return A;
} else {
return B;
}
/* EOF */
}
as:
if (E) {
return A;
}
return B;
}
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Reviewed-by: Cédric Le Goater <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 3317db743972f665e2753c75703538d51241350a
https://github.com/qemu/qemu/commit/3317db743972f665e2753c75703538d51241350a
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
hw/net/rtl8139: Update coding style to make checkpatch.pl happy
We will modify this code in the next commit. Clean it up
first to avoid checkpatch.pl errors.
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Reviewed-by: Cédric Le Goater <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: b8c4b67e3ec3918a40234e5c56221f780c7856fc
https://github.com/qemu/qemu/commit/b8c4b67e3ec3918a40234e5c56221f780c7856fc
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/allwinner_emac.c
M hw/net/cadence_gem.c
M hw/net/dp8393x.c
M hw/net/e1000.c
M hw/net/e1000e.c
M hw/net/ftgmac100.c
M hw/net/i82596.c
M hw/net/i82596.h
M hw/net/imx_fec.c
M hw/net/opencores_eth.c
M hw/net/rtl8139.c
M hw/net/smc91c111.c
M hw/net/spapr_llan.c
M hw/net/sungem.c
M hw/net/sunhme.c
M hw/net/virtio-net.c
M hw/net/xilinx_ethlite.c
M include/net/net.h
M net/filter-buffer.c
M net/hub.c
Log Message:
-----------
hw/net: Make NetCanReceive() return a boolean
The NetCanReceive handler return whether the device can or
can not receive new packets. Make it obvious by returning
a boolean type.
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Acked-by: David Gibson <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Reviewed-by: Cédric Le Goater <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 767cc9a9c1daf9b6c8efbfef656e5ca12c853a45
https://github.com/qemu/qemu/commit/767cc9a9c1daf9b6c8efbfef656e5ca12c853a45
Author: Philippe Mathieu-Daudé <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/allwinner-sun8i-emac.c
M hw/net/can/can_sja1000.c
M hw/net/can/can_sja1000.h
M include/net/can_emu.h
M net/can/can_socketcan.c
Log Message:
-----------
hw/net/can: Make CanBusClientInfo::can_receive() return a boolean
The CanBusClientInfo::can_receive handler return whether the
device can or can not receive new frames. Make it obvious by
returning a boolean type.
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Reviewed-by: Cédric Le Goater <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 9cc43c94b31321cdb2ef1d83f99d7a5b8a8b1d9e
https://github.com/qemu/qemu/commit/9cc43c94b31321cdb2ef1d83f99d7a5b8a8b1d9e
Author: Zhang Chen <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M net/colo-compare.c
M qemu-options.hx
Log Message:
-----------
net/colo-compare.c: Expose "compare_timeout" to users
The "compare_timeout" determines the maximum time to hold the primary net
packet.
This patch expose the "compare_timeout", make user have ability to
adjest the value according to application scenarios.
QMP command demo:
{ "execute": "qom-get",
"arguments": { "path": "/objects/comp0",
"property": "compare_timeout" } }
{ "execute": "qom-set",
"arguments": { "path": "/objects/comp0",
"property": "compare_timeout",
"value": 5000} }
Signed-off-by: Zhang Chen <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: cca35ac4d16c0633a7d3bd28448e4ef52f0d46b0
https://github.com/qemu/qemu/commit/cca35ac4d16c0633a7d3bd28448e4ef52f0d46b0
Author: Zhang Chen <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M net/colo-compare.c
M qemu-options.hx
Log Message:
-----------
net/colo-compare.c: Expose "expired_scan_cycle" to users
The "expired_scan_cycle" determines period of scanning expired
primary node net packets.
Signed-off-by: Zhang Chen <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 8ffb7265af64ec81748335ec8f20e7ab542c3850
https://github.com/qemu/qemu/commit/8ffb7265af64ec81748335ec8f20e7ab542c3850
Author: Prasad J Pandit <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/tulip.c
Log Message:
-----------
net: tulip: check frame size and r/w data length
Tulip network driver while copying tx/rx buffers does not check
frame size against r/w data length. This may lead to OOB buffer
access. Add check to avoid it.
Limit iterations over descriptors to avoid potential infinite
loop issue in tulip_xmit_list_update.
Reported-by: Li Qiang <address@hidden>
Reported-by: Ziming Zhang <address@hidden>
Reported-by: Jason Wang <address@hidden>
Tested-by: Li Qiang <address@hidden>
Reviewed-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: b88fb1247b8f82ff49a82e69965adca6d329a3b3
https://github.com/qemu/qemu/commit/b88fb1247b8f82ff49a82e69965adca6d329a3b3
Author: Peter Maydell <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/allwinner-sun8i-emac.c
Log Message:
-----------
hw/net/allwinner-sun8i-emac.c: Fix REG_ADDR_HIGH/LOW reads
Coverity points out (CID 1421926) that the read code for
REG_ADDR_HIGH reads off the end of the buffer, because it does a
32-bit read from byte 4 of a 6-byte buffer.
The code also has an endianness issue for both REG_ADDR_HIGH and
REG_ADDR_LOW, because it will do the wrong thing on a big-endian
host.
Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this;
the write code is not incorrect, but for consistency we make it use
stl_le_p() and stw_le_p().
Reviewed-by: Richard Henderson <address@hidden>
Tested-by: Niek Linnenbank <address@hidden>
Reviewed-by: Niek Linnenbank <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 1153cf9f5b67fad41ca6f8571e9a26e2c7c70759
https://github.com/qemu/qemu/commit/1153cf9f5b67fad41ca6f8571e9a26e2c7c70759
Author: Li Qiang <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M tests/qtest/Makefile.include
A tests/qtest/tulip-test.c
Log Message:
-----------
qtest: add tulip test case
The tulip networking card emulation has an OOB issue in
'tulip_copy_tx_buffers' when the guest provide malformed descriptor.
This test will trigger a ASAN heap overflow crash. To trigger this
issue we can construct the data as following:
1. construct a 'tulip_descriptor'. Its control is set to
'0x7ff | 0x7ff << 11', this will make the 'tulip_copy_tx_buffers's
'len1' and 'len2' to 0x7ff(2047). So 'len1+len2' will overflow
'TULIPState's 'tx_frame' field. This descriptor's 'buf_addr1' and
'buf_addr2' should set to a guest address.
2. write this descriptor to tulip device's CSR4 register. This will
set the 'TULIPState's 'current_tx_desc' field.
3. write 'CSR6_ST' to tulip device's CSR6 register. This will trigger
'tulip_xmit_list_update' and finally calls 'tulip_copy_tx_buffers'.
Following shows the backtrack of crash:
==31781==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x628000007cd0 at pc 0x7fe03c5a077a bp 0x7fff05b46770 sp 0x7fff05b45f18
WRITE of size 2047 at 0x628000007cd0 thread T0
#0 0x7fe03c5a0779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
#1 0x5575fb6daa6a in flatview_read_continue /home/test/qemu/exec.c:3194
#2 0x5575fb6daccb in flatview_read /home/test/qemu/exec.c:3227
#3 0x5575fb6dae66 in address_space_read_full /home/test/qemu/exec.c:3240
#4 0x5575fb6db0cb in address_space_rw /home/test/qemu/exec.c:3268
#5 0x5575fbdfd460 in dma_memory_rw_relaxed
/home/test/qemu/include/sysemu/dma.h:87
#6 0x5575fbdfd4b5 in dma_memory_rw /home/test/qemu/include/sysemu/dma.h:110
#7 0x5575fbdfd866 in pci_dma_rw /home/test/qemu/include/hw/pci/pci.h:787
#8 0x5575fbdfd8a3 in pci_dma_read /home/test/qemu/include/hw/pci/pci.h:794
#9 0x5575fbe02761 in tulip_copy_tx_buffers hw/net/tulip.c:585
#10 0x5575fbe0366b in tulip_xmit_list_update hw/net/tulip.c:678
#11 0x5575fbe04073 in tulip_write hw/net/tulip.c:783
Signed-off-by: Li Qiang <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 17083d6d1e0635371418c26b613a6fa68d392f49
https://github.com/qemu/qemu/commit/17083d6d1e0635371418c26b613a6fa68d392f49
Author: Peter Maydell <address@hidden>
Date: 2020-03-31 (Tue, 31 Mar 2020)
Changed paths:
M hw/net/allwinner-sun8i-emac.c
M hw/net/allwinner_emac.c
M hw/net/cadence_gem.c
M hw/net/can/can_sja1000.c
M hw/net/can/can_sja1000.h
M hw/net/dp8393x.c
M hw/net/e1000.c
M hw/net/e1000e.c
M hw/net/e1000e_core.c
M hw/net/e1000e_core.h
M hw/net/ftgmac100.c
M hw/net/i82596.c
M hw/net/i82596.h
M hw/net/imx_fec.c
M hw/net/opencores_eth.c
M hw/net/rtl8139.c
M hw/net/smc91c111.c
M hw/net/spapr_llan.c
M hw/net/sungem.c
M hw/net/sunhme.c
M hw/net/tulip.c
M hw/net/virtio-net.c
M hw/net/xilinx_ethlite.c
M include/net/can_emu.h
M include/net/net.h
M net/can/can_socketcan.c
M net/colo-compare.c
M net/filter-buffer.c
M net/hub.c
M qemu-options.hx
M tests/qtest/Makefile.include
A tests/qtest/tulip-test.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into
staging
# gpg: Signature made Tue 31 Mar 2020 14:15:18 BST
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <address@hidden>"
[marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
qtest: add tulip test case
hw/net/allwinner-sun8i-emac.c: Fix REG_ADDR_HIGH/LOW reads
net: tulip: check frame size and r/w data length
net/colo-compare.c: Expose "expired_scan_cycle" to users
net/colo-compare.c: Expose "compare_timeout" to users
hw/net/can: Make CanBusClientInfo::can_receive() return a boolean
hw/net: Make NetCanReceive() return a boolean
hw/net/rtl8139: Update coding style to make checkpatch.pl happy
hw/net/rtl8139: Simplify if/else statement
hw/net/smc91c111: Let smc91c111_can_receive() return a boolean
hw/net/e1000e_core: Let e1000e_can_receive() return a boolean
Fixed integer overflow in e1000e
hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()
hw/net/i82596: Correct command bitmask (CID 1419392)
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/2a95551e8b14...17083d6d1e06
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] baba73: hw/net/i82596: Correct command bitmask (CID 1419392),
Peter Maydell <=