[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 50/50] rtl8139: fix large_send_mss divide-by-zero
From: |
Jason Wang |
Subject: |
[PULL 50/50] rtl8139: fix large_send_mss divide-by-zero |
Date: |
Tue, 23 May 2023 15:32:38 +0800 |
From: Stefan Hajnoczi <stefanha@redhat.com>
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.
Solve these issues by skipping offloading when large_send_mss=0.
This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:
$ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
rtl8139,netdev=net0 -netdev user,id=net0 -device \
pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
memory-backend-ram,id=mem1,size=2M -qtest stdio
outl 0xcf8 0x80000814
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000037 0x1 0x04
write 0xe00000e0 0x2 0x01
write 0x1 0x1 0x04
write 0x3 0x1 0x98
write 0xa 0x1 0x8c
write 0xb 0x1 0x02
write 0xc 0x1 0x46
write 0xd 0x1 0xa6
write 0xf 0x1 0xb8
write 0xb800a646028c000c 0x1 0x08
write 0xb800a646028c000e 0x1 0x47
write 0xb800a646028c0010 0x1 0x02
write 0xb800a646028c0017 0x1 0x06
write 0xb800a646028c0036 0x1 0x80
write 0xe00000d9 0x1 0x40
EOF
Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1582
Cc: qemu-stable@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/rtl8139.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 5a5aaf8..5f1a4d3 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) &
CP_TC_LGSEN_MSS_MASK;
+ if (large_send_mss == 0) {
+ goto skip_offload;
+ }
DPRINTF("+++ C+ mode offloaded task TSO IP data %d "
"frame data %d specified MSS=%d\n",
--
2.7.4
- [PULL 35/50] igb: Implement MSI-X single vector mode, (continued)
- [PULL 35/50] igb: Implement MSI-X single vector mode, Jason Wang, 2023/05/23
- [PULL 44/50] e1000e: Notify only new interrupts, Jason Wang, 2023/05/23
- [PULL 37/50] igb: Implement Rx SCTP CSO, Jason Wang, 2023/05/23
- [PULL 41/50] igb: Implement igb-specific oversize check, Jason Wang, 2023/05/23
- [PULL 43/50] igb: Implement Tx timestamp, Jason Wang, 2023/05/23
- [PULL 42/50] igb: Implement Rx PTP2 timestamp, Jason Wang, 2023/05/23
- [PULL 36/50] igb: Use UDP for RSS hash, Jason Wang, 2023/05/23
- [PULL 38/50] igb: Implement Tx SCTP CSO, Jason Wang, 2023/05/23
- [PULL 39/50] igb: Strip the second VLAN tag for extended VLAN, Jason Wang, 2023/05/23
- [PULL 46/50] igb: Clear-on-read ICR when ICR.INTA is set, Jason Wang, 2023/05/23
- [PULL 50/50] rtl8139: fix large_send_mss divide-by-zero,
Jason Wang <=
- [PULL 45/50] igb: Notify only new interrupts, Jason Wang, 2023/05/23
- [PULL 32/50] net/eth: Always add VLAN tag, Jason Wang, 2023/05/23
- [PULL 47/50] vmxnet3: Do not depend on PC, Jason Wang, 2023/05/23
- [PULL 48/50] MAINTAINERS: Add a reviewer for network packet abstractions, Jason Wang, 2023/05/23
- [PULL 49/50] docs/system/devices/igb: Note igb is tested for DPDK, Jason Wang, 2023/05/23
- Re: [PULL 00/50] Net patches, Richard Henderson, 2023/05/23
- Re: [PULL 00/50] Net patches, Michael Tokarev, 2023/05/23