Cc'ing QEMU fuzz team. On 7/29/21 11:19 AM, Pavel Pisa wrote: > Hello everybody, > > please, can somebody accept the fix for master? > It should be ideally applied even to stable > branches. > > Or should I send request through some other form > then on the list?
I suppose the patch fell through the cracks. Apparently Paolo doesn't like to queue fuzzer fixes without reproducer. For examples see tests/qtest/fuzz-*.c in the tree. > > Thanks, > > Pavel > > On Monday 26 of July 2021 18:24:58 Pavel Pisa wrote: >> Problem reported by openEuler fuzz-sig group. >> >> The buff2frame_bas function (hw\net\can\can_sja1000.c) >> infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x). >> If you want the patch backported in stable releases, please include: Cc: [email protected] >> Reported-by: Qiang Ning <[email protected]> >> Signed-off-by: Pavel Pisa <[email protected]> >> --- >> hw/net/can/can_sja1000.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c >> index 42d2f99dfb..64e81bff58 100644 >> --- a/hw/net/can/can_sja1000.c >> +++ b/hw/net/can/can_sja1000.c >> @@ -311,6 +311,10 @@ static void buff2frame_bas(const uint8_t *buff, >> qemu_can_frame *frame) } >> frame->can_dlc = buff[1] & 0x0f; >> >> + if (frame->can_dlc > 8) { >> + frame->can_dlc = 8; >> + } >> + This doesn't seem a complete fix (see buff2frame_pel). Here can_dlc shouldn't be more than 8. What you can do here (and in buff2frame_pel) is: assert(frame->can_dlc <= 8); and find where the field is abused, probably discarding invalid frames earlier? >> for (i = 0; i < frame->can_dlc; i++) { >> frame->data[i] = buff[2 + i]; >> }
