From nobody Fri Dec 19 04:08:24 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605101622; cv=none; d=zohomail.com; s=zohoarc; b=jl5LM1WC7ueZ5lgfVhJiTfqZ6Bhhhm0y/q1xkoEVo5IfA7tQQzgurgsXXgfh5UNxNq2gRQK1OO6JsQ78LJ7PZbCRf8xd+Nvyxmu9O7K7BHD1GmD9GSsldyVa888USkfpvt1+xA/7XAa8BQ/StKT20fHz7LP7yW+FX3ld/2WNC1g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605101622; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=FZNuZNSALLZhBLBMem6DriO7AmdJ8F3r0mh6HWNNVcw=; b=XhJK9HGLozkMkspFMSk6hBqOKj/sW6o71G24pbkF0Cd1I8kxbDwj/pOjsFTX6+oZjUTALV5QJdwJoy/aeGpRnHMIx7PfD7HcLj78RZsk3yhYagyBm+hwFCQynRhUfnRCAjoh1LxjNDLvlbAXTA4SFXH/bzqeu/IfZssa50+2SnI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 160510162221774.8902511816807; Wed, 11 Nov 2020 05:33:42 -0800 (PST) Received: from localhost ([::1]:51490 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcqFp-0002UG-27 for importer@patchew.org; Wed, 11 Nov 2020 08:33:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:44630) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcpvG-0007K6-Nf for qemu-devel@nongnu.org; Wed, 11 Nov 2020 08:12:26 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:27927) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kcpvE-0002FU-Pn for qemu-devel@nongnu.org; Wed, 11 Nov 2020 08:12:26 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-224-VvpyrAUtOb2sCoLS4f2IVw-1; Wed, 11 Nov 2020 08:12:19 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CECFD64081; Wed, 11 Nov 2020 13:12:18 +0000 (UTC) Received: from jason-ThinkPad-T430s.redhat.com (ovpn-12-61.pek2.redhat.com [10.72.12.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3BF1555760; Wed, 11 Nov 2020 13:12:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605100344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type:in-reply-to:in-reply-to: references:references; bh=FZNuZNSALLZhBLBMem6DriO7AmdJ8F3r0mh6HWNNVcw=; b=Iuhb7pHCgvYvD512CpbBSY8Go7QNjg4HWAS/5ZwY7xl1tEVXv8+7f1QYDbrjEzKH2ybEn8 RB0Bvxp4/H97ZHP6KD2/N4uiBj/XrU6TuZqboopmxj0c2VhiECHZasexvAcFUfbgbVCgGP lXaqc3n0XEnCRGIPkRK7xIUiC8U0VCg= X-MC-Unique: VvpyrAUtOb2sCoLS4f2IVw-1 From: Jason Wang To: qemu-devel@nongnu.org, peter.maydell@linaro.org Subject: [PULL 14/17] hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer Date: Wed, 11 Nov 2020 21:11:38 +0800 Message-Id: <1605100301-11317-15-git-send-email-jasowang@redhat.com> In-Reply-To: <1605100301-11317-1-git-send-email-jasowang@redhat.com> References: <1605100301-11317-1-git-send-email-jasowang@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jasowang@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=63.128.21.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/11 01:42:46 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jason Wang , Pavel Pisa Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Peter Maydell The ctucan device has 4 CAN bus cores, each of which has a set of 20 32-bit registers for writing the transmitted data. The registers are however not contiguous; each core's buffers is 0x100 bytes after the last. We got the checks on the address wrong in the ctucan_mem_write() function: * the first "is addr in range at all" check allowed addr =3D=3D CTUCAN_CORE_MEM_SIZE, which is actually the first byte off the end of the range * the decode of addresses into core-number plus offset in the tx buffer for that core failed to check that the offset was in range, so the guest could write off the end of the tx_buffer[] array NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM, etc, make "buff_num >=3D CTUCAN_CORE_TXBUF_NUM" impossible, but we retain this as a runtime check rather than an assertion to permit those values to be changed in future (in hardware they are configurable synthesis parameters). Fix the top level check, and check the offset is within the buffer. Fixes: Coverity CID 1432874 Signed-off-by: Peter Maydell Signed-off-by: Pavel Pisa Tested-by: Pavel Pisa Signed-off-by: Jason Wang --- hw/net/can/ctucan_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/net/can/ctucan_core.c b/hw/net/can/ctucan_core.c index d20835c..8486f42 100644 --- a/hw/net/can/ctucan_core.c +++ b/hw/net/can/ctucan_core.c @@ -303,7 +303,7 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, = uint64_t val, DPRINTF("write 0x%02llx addr 0x%02x\n", (unsigned long long)val, (unsigned int)addr); =20 - if (addr > CTUCAN_CORE_MEM_SIZE) { + if (addr >=3D CTUCAN_CORE_MEM_SIZE) { return; } =20 @@ -312,7 +312,9 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, = uint64_t val, addr -=3D CTU_CAN_FD_TXTB1_DATA_1; buff_num =3D addr / CTUCAN_CORE_TXBUFF_SPAN; addr %=3D CTUCAN_CORE_TXBUFF_SPAN; - if (buff_num < CTUCAN_CORE_TXBUF_NUM) { + addr &=3D ~3; + if ((buff_num < CTUCAN_CORE_TXBUF_NUM) && + (addr < sizeof(s->tx_buffer[buff_num].data))) { uint32_t *bufp =3D (uint32_t *)(s->tx_buffer[buff_num].data + = addr); *bufp =3D cpu_to_le32(val); } --=20 2.7.4