On Sun, 4 May 2025 at 21:53, Chuhong Yuan <hsleste...@gmail.com> wrote: > > Hello, > > This is a bug I reported to qemu-security, while I was suggested to > forward it here > because it doesn't align with the virtualization use case. > > Thanks, > Chuhong > > ---------- Forwarded message --------- > From: Chuhong Yuan <hsleste...@gmail.com> > Date: Sat, May 3, 2025 at 11:30 PM > Subject: Out-of-bounds access in rx_fifo_push() > To: <qemu-secur...@nongnu.org> > > > I detected an out-of-bounds access in rx_fifo_push() with the fuzzer. > Run the fuzzer with: > ``` > export QEMU_FUZZ_ARGS="-display none -machine accel=qtest, -m 512M > -machine smdkc210" > export QEMU_FUZZ_OBJECTS="*lan9118-mmio*" > ./qemu-fuzz-arm --fuzz-target=generic-fuzz > ``` > The error stack: > ../hw/net/lan9118.c:455:5: runtime error: index -30 out of bounds for > type 'uint32_t[3360]' (aka 'unsigned int[3360]') > #0 0x5db0345b2020 in rx_fifo_push qemu/build/../hw/net/lan9118.c:455:26
Hi; thanks for this bug report. Could you provide a standalone reproducer, please? Something similar to the repro you give in the (unrelated) https://gitlab.com/qemu-project/qemu/-/issues/1863 that has a set of commands to feed to qtest would be great. If you could do that by filing a gitlab issue that will give us something to refer to in the commit message for the fix, so that would be the ideal. (Many of these old ethernet device models are not great about guarding against the guest doing invalid actions like popping an empty FIFO. Luckily we don't use the devices in machine types that support virtualization and that therefore have a security boundary.) thanks -- PMM
