From nobody Mon Feb 9 19:04:58 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1634906767874820.6253664680911; Fri, 22 Oct 2021 05:46:07 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-242-oZaL1uViMRqQxiTqXDy-dg-1; Fri, 22 Oct 2021 08:46:03 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EDBED801FCE; Fri, 22 Oct 2021 12:45:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 265A218351; Fri, 22 Oct 2021 12:45:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 32C4F4A704; Fri, 22 Oct 2021 12:45:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19MCjpDS011512 for ; Fri, 22 Oct 2021 08:45:51 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8D6FB40CFD11; Fri, 22 Oct 2021 12:45:51 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 882AB40CFD07 for ; Fri, 22 Oct 2021 12:45:51 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6BD7B80015A for ; Fri, 22 Oct 2021 12:45:51 +0000 (UTC) Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-291-k1J62kaiM6SQw-fsRNZ-xw-1; Fri, 22 Oct 2021 08:45:49 -0400 Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id EE2AA3FFEE for ; Fri, 22 Oct 2021 12:45:47 +0000 (UTC) Received: by mail-lf1-f72.google.com with SMTP id x17-20020a0565123f9100b003ff593b7c65so1679597lfa.12 for ; Fri, 22 Oct 2021 05:45:47 -0700 (PDT) Received: from ws.lan.d-node.is ([95.165.29.203]) by smtp.gmail.com with ESMTPSA id e8sm722655lft.308.2021.10.22.05.45.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Oct 2021 05:45:46 -0700 (PDT) X-MC-Unique: oZaL1uViMRqQxiTqXDy-dg-1 X-MC-Unique: k1J62kaiM6SQw-fsRNZ-xw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eoqe/PQkgnUX0tHOLIL0W4xXMKDXq+gmuwCHp8j/xbQ=; b=3mCyOn904MC1pRp3myWcD9qnkoNOgRedGbSSW8uuFfvwYvEibyRgQRQtxPl2L+4UOY aasHOq5DpDqKb64kzNapeSKhLEouJ8c/KkG+Bwt1EHogy3D4DoQ3I+jCLJGJe3K32qT4 N1X3V8iww07iuUAmfu/0t9fY2XnUVcfZDbrfQmD/m6dFbw+Y6y4AiXlcsfBJ84ve63MC rKftlMMVq9hK4O3y/D5IuqU3YWZL/Hzz3wOJTcq1C+I/bS9RrrEOnlOeNkINx2apHPGB bBnezFMcvsMv5AC5b+2bnHCvePQUq5ds6DXnhC9psDXY8fxS9LT4zWn90sV/BIcz/SfZ JbLA== X-Gm-Message-State: AOAM530d8/A6RBVHEWzMzCutcpMnJBTo2xkTXdE3oeV9bVPHjFWoHI0W PATkIl62WjGnDMa2Dctrj720RNrqLGoFNl5zSeicqz/TuuwsLPbn55Y4RFHqx0KIEi54srh0baV 68rgt4BREiq1sIrt1R13lhnHaP79oinnWVw== X-Received: by 2002:a2e:b162:: with SMTP id a2mr12621294ljm.440.1634906747361; Fri, 22 Oct 2021 05:45:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJza2mO+YlvZ+ZjGag/XGi5ODsY2/15uk9CJFYghXlOggX7TDhpP9/ZnFlWgaDB9RTfo8v1QMQ== X-Received: by 2002:a2e:b162:: with SMTP id a2mr12621268ljm.440.1634906747108; Fri, 22 Oct 2021 05:45:47 -0700 (PDT) From: Dmitrii Shcherbakov To: dmitrii.shcherbakov@canonical.com, libvir-list@redhat.com Subject: [libvirt PATCH 1/4] PCI VPD: handle additional edge cases Date: Fri, 22 Oct 2021 15:45:42 +0300 Message-Id: <20211022124545.412352-2-dmitrii.shcherbakov@canonical.com> In-Reply-To: <20211022124545.412352-1-dmitrii.shcherbakov@canonical.com> References: <20211022124545.412352-1-dmitrii.shcherbakov@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19MCjpDS011512 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1634906769937100003 Content-Type: text/plain; charset="utf-8" * RV and RW fields must be at the last position in their respective section (per the conditions in the spec). Therefore, the parser now stops iterating over fields as soon as it encounters one of those fields and checks whether the end of the resource has been reached; * Individual fields must have a valid length - the parser needs to check for invalid length values that violate boundary conditions of the resource. * A zero-length field may be the last one in the resource, however, the boundary check is currently too strict to allow that. Signed-off-by: Dmitrii Shcherbakov --- src/util/virpcivpd.c | 28 +++++++++++---- tests/virpcivpdtest.c | 84 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+), 6 deletions(-) diff --git a/src/util/virpcivpd.c b/src/util/virpcivpd.c index 8856bca459..cd49031fa4 100644 --- a/src/util/virpcivpd.c +++ b/src/util/virpcivpd.c @@ -466,8 +466,12 @@ virPCIVPDParseVPDLargeResourceFields(int vpdFileFd, ui= nt16_t resPos, uint16_t re =20 bool hasChecksum =3D false; bool hasRW =3D false; + bool endReached =3D false; =20 - while (fieldPos + 3 < resPos + resDataLen) { + /* Note the equal sign - fields may have a zero length in which case t= hey will + * just occupy 3 header bytes. In the in case of the RW field this may= mean that + * no more space is left in the section. */ + while (fieldPos + 3 <=3D resPos + resDataLen) { /* Keyword resources consist of keywords (2 ASCII bytes per the sp= ec) and 1-byte length. */ if (virPCIVPDReadVPDBytes(vpdFileFd, buf, 3, fieldPos, csum) !=3D = 3) { /* Invalid field encountered which means the resource itself i= s invalid too. Report @@ -518,6 +522,13 @@ virPCIVPDParseVPDLargeResourceFields(int vpdFileFd, ui= nt16_t resPos, uint16_t re return false; } =20 + if (resPos + resDataLen < fieldPos + fieldDataLen) { + /* In this case the field cannot simply be skipped since the p= osition of the + * next field is determined based on the length of a previous = field. */ + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("A field data length violates the resource le= ngth boundary.")); + return false; + } if (virPCIVPDReadVPDBytes(vpdFileFd, buf, bytesToRead, fieldPos, c= sum) !=3D bytesToRead) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Could not parse a resource field data - VPD = has invalid format")); @@ -546,12 +557,13 @@ virPCIVPDParseVPDLargeResourceFields(int vpdFileFd, u= int16_t resPos, uint16_t re hasChecksum =3D true; g_free(g_steal_pointer(&fieldKeyword)); g_free(g_steal_pointer(&fieldValue)); - continue; + break; } else if (fieldFormat =3D=3D VIR_PCI_VPD_RESOURCE_FIELD_VALUE_FOR= MAT_RDWR) { /* Skip the read-write space since it is used for indication o= nly. */ hasRW =3D true; g_free(g_steal_pointer(&fieldKeyword)); g_free(g_steal_pointer(&fieldValue)); + break; } else if (fieldFormat =3D=3D VIR_PCI_VPD_RESOURCE_FIELD_VALUE_FOR= MAT_LAST) { /* Skip unknown fields */ g_free(g_steal_pointer(&fieldKeyword)); @@ -579,13 +591,17 @@ virPCIVPDParseVPDLargeResourceFields(int vpdFileFd, u= int16_t resPos, uint16_t re g_free(g_steal_pointer(&fieldKeyword)); g_free(g_steal_pointer(&fieldValue)); } - if (readOnly && !hasChecksum) { + + /* May have exited the loop prematurely in case RV or RW were encounte= red and + * they were not the last fields in the section. */ + endReached =3D (fieldPos >=3D resPos + resDataLen); + if (readOnly && !(hasChecksum && endReached)) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("VPD-R does not contain the mandatory RV field")); + _("VPD-R does not contain the mandatory RV field as the la= st field")); return false; - } else if (!readOnly && !hasRW) { + } else if (!readOnly && !(hasRW && endReached)) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("VPD-W does not contain the mandatory RW field")); + _("VPD-W does not contain the mandatory RW field as= the last field")); return false; } =20 diff --git a/tests/virpcivpdtest.c b/tests/virpcivpdtest.c index 2cc9069132..65607c1247 100644 --- a/tests/virpcivpdtest.c +++ b/tests/virpcivpdtest.c @@ -597,6 +597,58 @@ testVirPCIVPDParseFullVPD(const void *opaque G_GNUC_UN= USED) return ret; } =20 +static int +testVirPCIVPDParseZeroLengthRW(const void *opaque G_GNUC_UNUSED) +{ + int fd =3D -1; + size_t dataLen =3D 0; + + g_autoptr(virPCIVPDResource) res =3D NULL; + virPCIVPDResourceCustom *custom =3D NULL; + + /* The RW field has a zero length which means there is no more RW spa= ce left. */ + const uint8_t fullVPDExample[] =3D { + VPD_STRING_RESOURCE_EXAMPLE_HEADER, VPD_STRING_RESOURCE_EXAMPLE_DA= TA, + VPD_R_FIELDS_EXAMPLE_HEADER, VPD_R_FIELDS_EXAMPLE_DATA, + PCI_VPD_LARGE_RESOURCE_FLAG | PCI_VPD_READ_WRITE_LARGE_RESOURCE_FL= AG, 0x08, 0x00, + 'V', 'Z', 0x02, '4', '2', + 'R', 'W', 0x00, + PCI_VPD_RESOURCE_END_VAL + }; + + dataLen =3D sizeof(fullVPDExample) / sizeof(uint8_t); + fd =3D virCreateAnonymousFile(fullVPDExample, dataLen); + res =3D virPCIVPDParse(fd); + VIR_FORCE_CLOSE(fd); + + if (!res) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + "The resource pointer is NULL after parsing which i= s unexpected"); + return -1; + } + + if (!res->ro) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + "Read-only keywords are missing from the VPD resource."); + return -1; + } else if (!res->rw) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + "Read-write keywords are missing from the VPD resource."); + return -1; + } + + if (testVirPCIVPDValidateExampleReadOnlyFields(res)) + return -1; + + custom =3D g_ptr_array_index(res->rw->vendor_specific, 0); + if (custom->idx !=3D 'Z' || STRNEQ_NULLABLE(custom->value, "42")) + return -1; + + custom =3D NULL; + return 0; +} + + static int testVirPCIVPDParseFullVPDSkipInvalidKeywords(const void *opaque G_GNUC_UNU= SED) { @@ -717,6 +769,32 @@ testVirPCIVPDParseFullVPDInvalid(const void *opaque G_= GNUC_UNUSED) 'R', 'V', 0x02, 0x8A, 0x00, \ PCI_VPD_RESOURCE_END_VAL =20 +/* The SN field has a length field that goes past the resource boundaries.= */ +# define VPD_INVALID_SN_FIELD_LENGTH \ + VPD_STRING_RESOURCE_EXAMPLE_HEADER, \ + 't', 'e', 's', 't', 'n', 'a', 'm', 'e', \ + PCI_VPD_LARGE_RESOURCE_FLAG | PCI_VPD_READ_ONLY_LARGE_RESOURCE_FLAG, 0= x0A, 0x00, \ + 'S', 'N', 0x42, 0x04, 0x02, \ + 'R', 'V', 0x02, 0xE8, 0x00, \ + PCI_VPD_RESOURCE_END_VAL + +/* The RV field is not the last one in VPD-R while the checksum is valid. = */ +# define VPD_INVALID_RV_NOT_LAST \ + VPD_STRING_RESOURCE_EXAMPLE_HEADER, \ + 't', 'e', 's', 't', 'n', 'a', 'm', 'e', \ + PCI_VPD_LARGE_RESOURCE_FLAG | PCI_VPD_READ_ONLY_LARGE_RESOURCE_FLAG, 0= x0A, 0x00, \ + 'R', 'V', 0x02, 0xD1, 0x00, \ + 'S', 'N', 0x02, 0x04, 0x02, \ + PCI_VPD_RESOURCE_END_VAL + +# define VPD_INVALID_RW_NOT_LAST \ + VPD_STRING_RESOURCE_EXAMPLE_HEADER, VPD_STRING_RESOURCE_EXAMPLE_DATA, \ + VPD_R_FIELDS_EXAMPLE_HEADER, VPD_R_FIELDS_EXAMPLE_DATA, \ + PCI_VPD_LARGE_RESOURCE_FLAG | PCI_VPD_READ_WRITE_LARGE_RESOURCE_FLAG, = 0x08, 0x00, \ + 'R', 'W', 0x00, \ + 'V', 'Z', 0x02, '4', '2', \ + PCI_VPD_RESOURCE_END_VAL + # define TEST_INVALID_VPD(invalidVPD) \ do { \ g_autoptr(virPCIVPDResource) res =3D NULL; \ @@ -741,6 +819,9 @@ testVirPCIVPDParseFullVPDInvalid(const void *opaque G_G= NUC_UNUSED) TEST_INVALID_VPD(VPD_R_UNEXPECTED_RW_IN_VPD_R_KEY); TEST_INVALID_VPD(VPD_R_INVALID_FIELD_VALUE); TEST_INVALID_VPD(VPD_INVALID_STRING_RESOURCE_VALUE); + TEST_INVALID_VPD(VPD_INVALID_SN_FIELD_LENGTH); + TEST_INVALID_VPD(VPD_INVALID_RV_NOT_LAST); + TEST_INVALID_VPD(VPD_INVALID_RW_NOT_LAST); =20 return 0; } @@ -767,6 +848,9 @@ mymain(void) ret =3D -1; if (virTestRun("Parsing VPD string resources ", testVirPCIVPDParseVPDS= tringResource, NULL) < 0) ret =3D -1; + if (virTestRun("Parsing a VPD resource with a zero-length RW ", + testVirPCIVPDParseZeroLengthRW, NULL) < 0) + ret =3D -1; if (virTestRun("Parsing a VPD resource with an invalid keyword ", testVirPCIVPDParseFullVPDSkipInvalidKeywords, NULL) < 0) ret =3D -1; --=20 2.32.0