On Fri, 28 Feb 2025 at 17:48, Peter Maydell <peter.mayd...@linaro.org> wrote: > > This patchset fixes some potential array overflows in the > smc91c111 ethernet device model, including the one found in > https://gitlab.com/qemu-project/qemu/-/issues/2742 > > There are two classes of bugs: > * we accept packet numbers from the guest, but we were not > validating that they were in range before using them as an > index into the data[][] array > * we didn't sanitize the length field read from the data > frame on tx before using it as an index to find the > control byte at the end of the frame, so we could read off > the end of the buffer > > This patchset fixes both of these. The datasheet is sadly > silent on the h/w behaviour for these errors, so I opted to > LOG_GUEST_ERROR and silently ignore the invalid operations. > > Patch 3 tidies up the existing code to use a constant defined > in patch 2; I put it last so we can cc the first two patches > to stable without having to also backport that patch.
See also the other smc91c111 fuzzer fix patch: https://patchew.org/QEMU/20250228191652.1957208-1-peter.mayd...@linaro.org/ (if I need to do a v2 of this series I'll put that one in too) -- PMM
