| Message ID | 20250207151157.3151776-1-peter.maydell@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | hw/net/smc91c111: Ignore attempt to pop from empty RX fifo | expand |
On 7/2/25 16:11, Peter Maydell wrote: > The SMC91C111 includes an MMU Command register which permits > the guest to remove entries from the RX FIFO. The datasheet > does not specify what happens if the guest tries to do this > when the FIFO is already empty; there are no status registers > containing error bits which might be applicable. > > Currently we don't guard at all against pop of an empty > RX FIFO, with the result that we allow the guest to drive > the rx_fifo_len index to negative values, which will cause > smc91c111_receive() to write to the rx_fifo[] array out of > bounds when we receive the next packet. > > Instead ignore attempts to pop an empty RX FIFO. > > Cc: qemu-stable@nongnu.org > Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu") > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/net/smc91c111.c | 9 +++++++++ > 1 file changed, 9 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
On 7/2/25 16:11, Peter Maydell wrote: > The SMC91C111 includes an MMU Command register which permits > the guest to remove entries from the RX FIFO. The datasheet > does not specify what happens if the guest tries to do this > when the FIFO is already empty; there are no status registers > containing error bits which might be applicable. > > Currently we don't guard at all against pop of an empty > RX FIFO, with the result that we allow the guest to drive > the rx_fifo_len index to negative values, which will cause > smc91c111_receive() to write to the rx_fifo[] array out of > bounds when we receive the next packet. > > Instead ignore attempts to pop an empty RX FIFO. > > Cc: qemu-stable@nongnu.org > Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu") > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/net/smc91c111.c | 9 +++++++++ > 1 file changed, 9 insertions(+) Patch queued, thanks.
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index b18d5c23c39..0e13dfa18b2 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -182,6 +182,15 @@ static void smc91c111_pop_rx_fifo(smc91c111_state *s) { int i; + if (s->rx_fifo_len == 0) { + /* + * The datasheet doesn't document what the behaviour is if the + * guest tries to pop an empty RX FIFO, and there's no obvious + * error status register to report it. Just ignore the attempt. + */ + return; + } + s->rx_fifo_len--; if (s->rx_fifo_len) { for (i = 0; i < s->rx_fifo_len; i++)
The SMC91C111 includes an MMU Command register which permits the guest to remove entries from the RX FIFO. The datasheet does not specify what happens if the guest tries to do this when the FIFO is already empty; there are no status registers containing error bits which might be applicable. Currently we don't guard at all against pop of an empty RX FIFO, with the result that we allow the guest to drive the rx_fifo_len index to negative values, which will cause smc91c111_receive() to write to the rx_fifo[] array out of bounds when we receive the next packet. Instead ignore attempts to pop an empty RX FIFO. Cc: qemu-stable@nongnu.org Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/net/smc91c111.c | 9 +++++++++ 1 file changed, 9 insertions(+)