Commit 8526b7d6b6 for qemu.org
commit 8526b7d6b67beda0c83e4a8aec1449475fe5dd65
Author: Peter Maydell <peter.maydell@linaro.org>
Date: Tue May 5 19:51:56 2026 +0100
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
In of_dpa_cmd_add_l2_flood(), we use rocker_tlv_parse_nested()
to fill in a tlvs[] array. If the guest command is valid then
the entries should be pointers to TLV data items with group IDs.
However, if the guest gives us bogus data then rocker_tlv_parse_nested()
indicates this by leaving the tlvs[] entries NULL. In the other
places that use this function, we check for this before using
the value, but here we forgot, and the result is that QEMU can
crash:
#0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:331
#1 0x00005555574f7137 in __asan_memcpy ()
#2 0x0000555558106792 in ldl_he_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:278
#3 0x0000555558106755 in ldl_le_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:311
#4 0x00005555580f85ed in rocker_tlv_get_le32 (tlv=0x0) at ../../hw/net/rocker/rocker_tlv.h:114
#5 0x000055555810a8ad in of_dpa_cmd_add_l2_flood (of_dpa=0x506000082e38, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2032
#6 0x0000555558108a74 in of_dpa_cmd_group_do (of_dpa=0x506000082e38, group_id=1073741824, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2115
#7 0x0000555558108730 in of_dpa_cmd_group_add (of_dpa=0x506000082e38, group_id=1073741824, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2135
#8 0x00005555580f66ec in of_dpa_group_cmd
(of_dpa=0x506000082e38, info=0x514000072e40, buf=0x5070002356c0 "\001", cmd=7, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2194
Check for NULL values and return an error.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/1851
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
index 3190a0e75c..958f3006c1 100644
--- a/hw/net/rocker/rocker_of_dpa.c
+++ b/hw/net/rocker/rocker_of_dpa.c
@@ -2029,6 +2029,10 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,
group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]);
for (i = 0; i < group->l2_flood.group_count; i++) {
+ if (!tlvs[i + 1]) {
+ err = -ROCKER_EINVAL;
+ goto err_out;
+ }
group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]);
}