Emulation/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-05-20 05:40:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
xemu/hw/net
History
Stefan Hajnoczi 859759ee39 rtl8139: fix large_send_mss divide-by-zero 
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.

Solve these issues by skipping offloading when large_send_mss=0.

This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:

  $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
  512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
  rtl8139,netdev=net0 -netdev user,id=net0 -device \
  pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
  memory-backend-ram,id=mem1,size=2M  -qtest stdio
  outl 0xcf8 0x80000814
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000037 0x1 0x04
  write 0xe00000e0 0x2 0x01
  write 0x1 0x1 0x04
  write 0x3 0x1 0x98
  write 0xa 0x1 0x8c
  write 0xb 0x1 0x02
  write 0xc 0x1 0x46
  write 0xd 0x1 0xa6
  write 0xf 0x1 0xb8
  write 0xb800a646028c000c 0x1 0x08
  write 0xb800a646028c000e 0x1 0x47
  write 0xb800a646028c0010 0x1 0x02
  write 0xb800a646028c0017 0x1 0x06
  write 0xb800a646028c0036 0x1 0x80
  write 0xe00000d9 0x1 0x40
  EOF

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1582
Cc: qemu-stable@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 6d71357a3b ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 792676c165159c11412346870fd58fd243ab2166)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-05-28 12:02:26 +03:00
..
can net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
fsl_etsec hw/net/fsl_etsec/etsec: Remove obsolete and unused etsec_create() 2022-06-11 11:44:50 +02:00
rocker msix: Assert that specified vector is in range 2022-11-07 14:08:17 -05:00
allwinner-sun8i-emac.c hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields 2023-05-18 21:09:59 +03:00
allwinner_emac.c hw/net: Make NetCanReceive() return a boolean 2020-03-31 21:14:35 +08:00
cadence_gem.c cadence_gem: switch to use qemu_receive_packet() for loopback 2021-03-15 16:41:22 +08:00
dp8393x.c dp8393x: don't force 32-bit register access 2021-07-11 22:29:54 +02:00
e1000.c e1000e: Fix tx/rx counters 2023-05-23 23:16:42 +03:00
e1000_regs.h net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
e1000e.c msix: Assert that specified vector is in range 2022-11-07 14:08:17 -05:00
e1000e_core.c e1000e: Fix tx/rx counters 2023-05-23 23:16:42 +03:00
e1000e_core.h e1000e: Fix Lesser GPL version number 2020-11-15 16:45:49 +01:00
e1000x_common.c e1000e: Fix tx/rx counters 2023-05-23 23:16:42 +03:00
e1000x_common.h e1000e: Fix Lesser GPL version number 2020-11-15 16:45:49 +01:00
eepro100.c pci: Let ld*_pci_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
etraxfs_eth.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ftgmac100.c dma: Let dma_memory_read/write() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
i82596.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
i82596.h hw/net: Make NetCanReceive() return a boolean 2020-03-31 21:14:35 +08:00
imx_fec.c Trivial: 3 char repeat typos 2022-06-28 11:06:02 +02:00
Kconfig hw/net/can: Correct Kconfig dependencies 2020-09-30 19:11:37 +02:00
lan9118.c hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches specified level 2022-09-22 16:38:28 +01:00
lance.c Drop more @errp parameters after previous commit 2020-05-15 07:08:14 +02:00
lasi_i82596.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
mcf_fec.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
meson.build meson: use have_vhost_* variables to pick sources 2022-05-07 07:46:58 +02:00
mipsnet.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
msf2-emac.c hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc() 2023-05-18 21:09:59 +03:00
mv88w8618_eth.c hw/net: Move MV88W8618 network device out of hw/arm/ directory 2022-01-20 11:47:52 +00:00
ne2000-isa.c hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
ne2000-pci.c Drop more @errp parameters after previous commit 2020-05-15 07:08:14 +02:00
ne2000.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
ne2000.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
net_rx_pkt.c NetRxPkt: fix hash calculation of IPV6 TCP 2020-03-03 18:04:47 +08:00
net_rx_pkt.h NetRxPkt: Introduce support for additional hash types 2020-03-03 18:04:47 +08:00
net_tx_pkt.c hw/net/net_tx_pkt: Fix crash detected by fuzzer 2021-07-19 09:33:39 +02:00
net_tx_pkt.h hw/net: Added plen fix for IPv6 2020-07-21 21:30:39 +08:00
npcm7xx_emc.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
opencores_eth.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pcnet-pci.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
pcnet.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
pcnet.h net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
rtl8139.c rtl8139: fix large_send_mss divide-by-zero 2023-05-28 12:02:26 +03:00
smc91c111.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
spapr_llan.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
stellaris_enet.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
sungem.c sungem: switch to use qemu_receive_packet() for loopback 2021-03-15 16:41:22 +08:00
sunhme.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
trace-events hw/net: e1000e: Clear ICR on read when using non MSI-X interrupts 2022-02-14 11:50:44 +08:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tulip.c tulip: Remove unused variable 2022-11-11 09:12:10 +01:00
tulip.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vhost_net-stub.c vhost-net: vhost-kernel: introduce vhost_net_virtqueue_restart() 2022-11-07 13:12:20 -05:00
vhost_net.c vhost: enable vrings in vhost_dev_start() for vhost-user devices 2022-12-01 02:30:04 -05:00
virtio-net.c virtio-net: not enable vq reset feature unconditionally 2023-05-22 19:39:33 +03:00
vmware_utils.h hw/net/vmxnet3: Fix code to work on big endian hosts, too 2017-11-20 11:08:00 +08:00
vmxnet3.c hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value 2023-03-30 12:19:04 +03:00
vmxnet3.h Replace config-time define HOST_WORDS_BIGENDIAN 2022-04-06 10:50:37 +02:00
vmxnet3_defs.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
vmxnet_debug.h
xen_nic.c net: introduce qemu_set_info_str() function 2022-10-28 13:28:52 +08:00
xgmac.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
xilinx_axienet.c hw/net/xilinx_axienet: Rename StreamSlave as StreamSink 2020-12-10 12:15:04 -05:00
xilinx_ethlite.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00