Created
September 30, 2020 05:59
-
-
Save droogie/58c5fa7c3e4319ccf21cf763baedbad3 to your computer and use it in GitHub Desktop.
QEMU 5.0.0 e1000 device patch to view leaked uninitialized memory from DMA mappings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- orig_qemu/qemu-5.0.0/hw/net/e1000.c 2020-04-28 09:49:24.000000000 -0700 | |
| +++ qemu-5.0.0/hw/net/e1000.c 2020-09-28 00:31:20.000000000 -0700 | |
| @@ -42,8 +42,16 @@ | |
| static const uint8_t bcast[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; | |
| -/* #define E1000_DEBUG */ | |
| +#define PAGE_SHIFT 12 | |
| +#define PAGE_SIZE (1UL << PAGE_SHIFT) | |
| +#define PAGE_MASK (~(PAGE_SIZE-1)) | |
| + | |
| +#define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK) | |
| +#define PAGE_ALIGN_DOWN(addr) ((addr) & PAGE_MASK) | |
| + | |
| +/* #define E1000_DEBUG */ | |
| +//#define E1000_DEBUG | |
| #ifdef E1000_DEBUG | |
| enum { | |
| DEBUG_GENERAL, DEBUG_IO, DEBUG_MMIO, DEBUG_INTERRUPT, | |
| @@ -55,7 +63,7 @@ | |
| static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL); | |
| #define DBGOUT(what, fmt, ...) do { \ | |
| - if (debugflags & DBGBIT(what)) \ | |
| + if (1) \ | |
| fprintf(stderr, "e1000: " fmt, ## __VA_ARGS__); \ | |
| } while (0) | |
| #else | |
| @@ -622,6 +630,64 @@ | |
| s->mac_reg[GOTCH] = s->mac_reg[TOTH]; | |
| } | |
| + | |
| +/* | |
| +void hexdump(PCIDevice *d, uint64_t addr, int len) { | |
| + int i; | |
| + unsigned char buffer[len]; | |
| + | |
| + pci_dma_read(d, addr, buffer, len); | |
| + | |
| + for(i=0;i<len;i++) { | |
| + if ( i != 0 && !(i % 16) ) { | |
| + fprintf(stderr, "\n"); | |
| + } | |
| + fprintf(stderr, "%02x ", buffer[i]); | |
| + } | |
| +} | |
| +*/ | |
| + | |
| + | |
| +void hexdump(PCIDevice *d, uint64_t addr, int size) { | |
| + char ascii[17]; | |
| + size_t i, j; | |
| + ascii[16] = '\0'; | |
| + | |
| + unsigned char data[size]; | |
| + pci_dma_read(d, addr, data, size); | |
| + fflush(stderr); | |
| + for (i = 0; i < size; ++i) { | |
| + fprintf(stderr, "%02X ", ((unsigned char*)data)[i]); | |
| + fflush(stderr); | |
| + if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') { | |
| + ascii[i % 16] = ((unsigned char*)data)[i]; | |
| + } else { | |
| + ascii[i % 16] = '.'; | |
| + } | |
| + if ((i+1) % 8 == 0 || i+1 == size) { | |
| + fprintf(stderr, " "); | |
| + fflush(stderr); | |
| + if ((i+1) % 16 == 0) { | |
| + fprintf(stderr, "| %s \n", ascii); | |
| + fflush(stderr); | |
| + } else if (i+1 == size) { | |
| + ascii[(i+1) % 16] = '\0'; | |
| + if ((i+1) % 16 <= 8) { | |
| + fprintf(stderr, " "); | |
| + fflush(stderr); | |
| + } | |
| + for (j = (i+1) % 16; j < 16; ++j) { | |
| + fprintf(stderr, " "); | |
| + fflush(stderr); | |
| + } | |
| + fprintf(stderr, "| %s \n", ascii); | |
| + fflush(stderr); | |
| + } | |
| + } | |
| + } | |
| +} | |
| + | |
| + | |
| static void | |
| process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | |
| { | |
| @@ -675,7 +741,25 @@ | |
| bytes = msh - tp->size; | |
| bytes = MIN(sizeof(tp->data) - tp->size, bytes); | |
| + | |
| pci_dma_read(d, addr, tp->data + tp->size, bytes); | |
| + // DROOGIE | |
| + //printf("addr: %llx, bytes: %d\n", addr, bytes); | |
| + fprintf(stderr, "e1000: addr: %llx, bytes: %d\n", addr, bytes); | |
| + | |
| + uint64_t before = PAGE_ALIGN_DOWN(addr); | |
| + int before_len = addr - before; | |
| + uint64_t after = addr + bytes; | |
| + uint64_t npage = PAGE_ALIGN(addr); | |
| + int after_len = npage - after; | |
| + | |
| + fprintf(stderr, "e1000: page: %llu\n", npage); | |
| + fprintf(stderr, "e1000: BEFORE!!!\n"); | |
| + hexdump(d, before, before_len); | |
| + fprintf(stderr, "e1000: AFTER!!!\n"); | |
| + hexdump(d, after, after_len); | |
| + | |
| + | |
| sz = tp->size + bytes; | |
| if (sz >= tp->tso_props.hdr_len | |
| && tp->size < tp->tso_props.hdr_len) { | |
| @@ -693,6 +777,23 @@ | |
| } else { | |
| split_size = MIN(sizeof(tp->data) - tp->size, split_size); | |
| pci_dma_read(d, addr, tp->data + tp->size, split_size); | |
| + //printf("else addr: %llx, bytes: %d\n", addr, split_size); | |
| + fprintf(stderr, "e1000: else addr: %llx, bytes: %d\n", addr, split_size); | |
| + | |
| + uint64_t before = PAGE_ALIGN_DOWN(addr); | |
| + int before_len = addr - before; | |
| + uint64_t after = addr + split_size; | |
| + uint64_t npage = PAGE_ALIGN(addr); | |
| + int after_len = npage - after; | |
| + | |
| + fprintf(stderr, "e1000: page: %llu\n", npage); | |
| + fprintf(stderr, "e1000: BEFORE!!!\n"); | |
| + hexdump(d, before, before_len); | |
| + fprintf(stderr, "e1000: AFTER!!!\n"); | |
| + hexdump(d, after, after_len); | |
| + | |
| + | |
| + | |
| tp->size += split_size; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment