[PATCH] net: eepro100: validate various address values

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] net: eepro100: validate various address values

From:	P J P
Subject:	[PATCH] net: eepro100: validate various address values
Date:	Thu, 18 Feb 2021 19:36:29 +0530

From: Prasad J Pandit <pjp@fedoraproject.org>

While processing controller commands, eepro100 emulator gets
command unit(CU) base address OR receive unit (RU) base address
OR command block (CB) address from guest. If these values are not
checked, it may lead to an infinite loop kind of issues. Add checks
to avoid it.

Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/eepro100.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index 16e95ef9cc..afa1c9b2aa 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -843,7 +843,8 @@ static void action_command(EEPRO100State *s)
         bool bit_i;
         bool bit_nc;
         uint16_t ok_status = STATUS_OK;
-        s->cb_address = s->cu_base + s->cu_offset;
+        s->cb_address = s->cu_base + s->cu_offset;  /* uint32_t overflow */
+        assert (s->cb_address >= s->cu_base);
         read_cb(s);
         bit_el = ((s->tx.command & COMMAND_EL) != 0);
         bit_s = ((s->tx.command & COMMAND_S) != 0);
@@ -860,6 +861,7 @@ static void action_command(EEPRO100State *s)
         }
 
         s->cu_offset = s->tx.link;
+        assert(s->cu_offset > 0);
         TRACE(OTHER,
               logout("val=(cu start), status=0x%04x, command=0x%04x, 
link=0x%08x\n",
                      s->tx.status, s->tx.command, s->tx.link));
@@ -990,8 +992,10 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t 
val)
         break;
     case CU_CMD_BASE:
         /* Load CU base. */
+        assert(get_cu_state(s) == cu_idle);
         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
         s->cu_base = e100_read_reg4(s, SCBPointer);
+        assert(!s->cu_base);
         break;
     case CU_DUMPSTATS:
         /* Dump and reset statistical counters. */
@@ -1048,8 +1052,10 @@ static void eepro100_ru_command(EEPRO100State * s, 
uint8_t val)
         break;
     case RX_ADDR_LOAD:
         /* Load RU base. */
+        assert(get_ru_state(s) == ru_idle);
         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
         s->ru_base = e100_read_reg4(s, SCBPointer);
+        assert(!s->ru_base);
         break;
     default:
         logout("val=0x%02x (undefined RU command)\n", val);
-- 
2.29.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] net: eepro100: validate various address values, P J P <=
- Re: [PATCH] net: eepro100: validate various address values, no-reply, 2021/02/18
- Re: [PATCH] net: eepro100: validate various address values, Peter Maydell, 2021/02/18
  - Re: [PATCH] net: eepro100: validate various address values, Stefan Weil, 2021/02/18
  - Re: [PATCH] net: eepro100: validate various address values, Alexander Bulekov, 2021/02/18
    - Re: [PATCH] net: eepro100: validate various address values, Li Qiang, 2021/02/18
    - Re: [PATCH] net: eepro100: validate various address values, Alexander Bulekov, 2021/02/18
    - Re: [PATCH] net: eepro100: validate various address values, Li Qiang, 2021/02/18
    - Re: [PATCH] net: eepro100: validate various address values, Alexander Bulekov, 2021/02/19
    - Re: [PATCH] net: eepro100: validate various address values, P J P, 2021/02/19
    - Re: [PATCH] net: eepro100: validate various address values, Stefan Weil, 2021/02/19

Prev by Date: Re: [PULL 00/19] riscv-to-apply queue
Next by Date: [PATCH] Correct CRIS TCG register lifetime management
Previous by thread: [PATCH 0/3] Some SMMUv3 bug fixes
Next by thread: Re: [PATCH] net: eepro100: validate various address values
Index(es):
- Date
- Thread