Out-of-bounds access smc91c111_readb()
Host environment
-
Operating system:
Ubuntu
-
OS/kernel version:
Linux 6.8
-
Architecture:
x86_64
-
QEMU flavor:
qemu-system-arm
-
QEMU version:
commit 7c89e226
Emulated/Virtualized environment
-
Architecture:
ARM
Description of problem
An out-of-bounds bug was triggered by my fuzzer.
It looks like the code doesn't have boundary checks for data's access.
The error is hw/net/smc91c111.c:605:24: runtime error: index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')
It's likely that the line 457 also needs a check.
Steps to reproduce
export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb"
cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
writew 0x4e00000c 0x46084a4a
writel 0x4e00000c 0x5c022fcc
clock_step
writel 0x4e000004 0x2fffa1b1
clock_step
readl 0x4e000008
EOF