motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-26 11:32:23 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw/net
History
Stefan Hajnoczi fae9449998 rtl8139: fix large_send_mss divide-by-zero 
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.

Solve these issues by skipping offloading when large_send_mss=0.

This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:

  $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
  512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
  rtl8139,netdev=net0 -netdev user,id=net0 -device \
  pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
  memory-backend-ram,id=mem1,size=2M  -qtest stdio
  outl 0xcf8 0x80000814
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000037 0x1 0x04
  write 0xe00000e0 0x2 0x01
  write 0x1 0x1 0x04
  write 0x3 0x1 0x98
  write 0xa 0x1 0x8c
  write 0xb 0x1 0x02
  write 0xc 0x1 0x46
  write 0xd 0x1 0xa6
  write 0xf 0x1 0xb8
  write 0xb800a646028c000c 0x1 0x08
  write 0xb800a646028c000e 0x1 0x47
  write 0xb800a646028c0010 0x1 0x02
  write 0xb800a646028c0017 0x1 0x06
  write 0xb800a646028c0036 0x1 0x80
  write 0xe00000d9 0x1 0x40
  EOF

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1582
Cc: qemu-stable@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 6d71357a3b ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 792676c165)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-05-24 18:07:21 +03:00
..
can include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
fsl_etsec fsl_etsec: Use hw/net/mii.h 2023-03-10 15:35:38 +08:00
rocker rocker: Tweak stubbed out monitor commands' error messages 2023-02-23 14:10:17 +01:00
allwinner-sun8i-emac.c hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields 2023-05-10 20:50:38 +03:00
allwinner_emac.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
cadence_gem.c Drop more useless casts from void * to pointer 2022-12-14 16:19:35 +01:00
dp8393x.c dp8393x: don't force 32-bit register access 2021-07-11 22:29:54 +02:00
e1000.c e1000x: Fix BPRC and MPRC 2023-05-24 16:31:45 +03:00
e1000_common.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000_regs.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000e.c e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000e_core.c e1000e: Always copy ethernet header 2023-05-24 16:35:30 +03:00
e1000e_core.h e1000e: Implement system clock 2023-03-10 15:35:38 +08:00
e1000x_common.c e1000x: Fix BPRC and MPRC 2023-05-24 16:31:45 +03:00
e1000x_common.h e1000x: Fix BPRC and MPRC 2023-05-24 16:31:45 +03:00
e1000x_regs.h igb: add ICR_RXDW 2023-03-28 13:10:55 +08:00
eepro100.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
etraxfs_eth.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ftgmac100.c hw/net: Fix read of uninitialized memory in ftgmac100 2023-02-07 09:02:04 +01:00
i82596.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
i82596.h hw/net: Make NetCanReceive() return a boolean 2020-03-31 21:14:35 +08:00
igb.c igb: Save more Tx states 2023-03-28 13:10:55 +08:00
igb_common.h Intrdocue igb device emulation 2023-03-10 15:35:38 +08:00
igb_core.c igb: Always copy ethernet header 2023-05-24 16:37:48 +03:00
igb_core.h igb: implement VFRE and VFTE registers 2023-03-28 13:10:55 +08:00
igb_regs.h igb: Fix Rx packet type encoding 2023-05-24 16:33:54 +03:00
igbvf.c Intrdocue igb device emulation 2023-03-10 15:35:38 +08:00
imx_fec.c hw/net: Fix read of uninitialized memory in imx_fec. 2023-01-05 15:33:00 +00:00
Kconfig Intrdocue igb device emulation 2023-03-10 15:35:38 +08:00
lan9118.c hw/net/lan9118: log [read|write]b when mode_16bit is enabled rather than abort 2023-02-17 13:31:33 +08:00
lance.c Drop more @errp parameters after previous commit 2020-05-15 07:08:14 +02:00
lasi_i82596.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
mcf_fec.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
meson.build Intrdocue igb device emulation 2023-03-10 15:35:38 +08:00
mipsnet.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
msf2-emac.c hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc() 2023-05-10 20:50:38 +03:00
mv88w8618_eth.c hw/net: Move MV88W8618 network device out of hw/arm/ directory 2022-01-20 11:47:52 +00:00
ne2000-isa.c hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
ne2000-pci.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
ne2000.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
ne2000.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
net_rx_pkt.c net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() 2023-05-24 16:34:46 +03:00
net_rx_pkt.h net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() 2023-05-24 16:34:46 +03:00
net_tx_pkt.c hw/net/net_tx_pkt: Align l3_hdr 2023-03-28 13:10:55 +08:00
net_tx_pkt.h igb: Fix DMA requester specification for Tx packet 2023-03-28 13:10:55 +08:00
npcm7xx_emc.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
opencores_eth.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pcnet-pci.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
pcnet.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
pcnet.h net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
rtl8139.c rtl8139: fix large_send_mss divide-by-zero 2023-05-24 18:07:21 +03:00
smc91c111.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
spapr_llan.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
stellaris_enet.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
sungem.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
sunhme.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
trace-events igb: handle PF/VF reset properly 2023-03-28 13:10:55 +08:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tulip.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
tulip.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vhost_net-stub.c virtio-net: add support for configure interrupt 2023-01-08 01:54:22 -05:00
vhost_net.c virtio-net: add support for configure interrupt 2023-01-08 01:54:22 -05:00
virtio-net.c net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() 2023-05-24 16:34:46 +03:00
vmware_utils.h hw/net/vmxnet3: Fix code to work on big endian hosts, too 2017-11-20 11:08:00 +08:00
vmxnet3.c net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() 2023-05-24 16:34:46 +03:00
vmxnet3.h Replace config-time define HOST_WORDS_BIGENDIAN 2022-04-06 10:50:37 +02:00
vmxnet3_defs.h include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
vmxnet_debug.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
xen_nic.c hw/xen: Use XEN_PAGE_SIZE in PV backend drivers 2023-03-07 17:04:30 +00:00
xgmac.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
xilinx_axienet.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
xilinx_ethlite.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00