On Wed, 15 Apr 2026 at 05:08, Feifan Qian <[email protected]> wrote: > > The TX Frame Control Block (FCB) is prepended to a TX frame when > BD_TX_TOEUN is set. It contains two guest-controlled u8 offset > fields that process_tx_fcb() uses to locate L3/L4 headers within > the frame buffer: > > l3_header_offset = FCB byte 3 (0..255) > l4_header_offset = FCB byte 2 (0..255) > > These offsets are applied without any bounds check. When the > UDP-no-CTU branch is taken, the function writes zero to > l4_header[6] and l4_header[7]. With both offsets set to 0xFF the > write target is: > > tx_buffer + 8 + 255 + 255 + 6/7 = tx_buffer + 525 > > A malicious guest can therefore corrupt up to 509 bytes of heap > memory beyond a minimally-sized (16 B) TX frame. > > Fix: reject the frame and log a guest error when the minimum > required buffer length > > 8 (FCB) + l3_header_offset + l4_header_offset + 8 > > exceeds tx_buffer_len. Move the l3_header and l4_header pointer > declarations past the new guard so that out-of-bounds pointers > are never materialised. > > Cc: [email protected] > Signed-off-by: Feifan Qian <[email protected]>
This bug just got re-found by somebody recently, so: Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3517 Reviewed-by: Peter Maydell <[email protected]> Jason, are you going to pick this one up, or one of the PPC folks? (I found it didn't quite apply cleanly for some reason, but I don't know why as that file hasn't changed in ages.) thanks -- PMM
