From nobody Sun Feb  8 13:53:23 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=gmail.com
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 15251188161141006.2148081465392;
 Mon, 30 Apr 2018 13:06:56 -0700 (PDT)
Received: from localhost ([::1]:33181 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1fDF4Z-0007T6-A5
	for importer@patchew.org; Mon, 30 Apr 2018 16:06:55 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48755)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <marcel.apfelbaum@gmail.com>) id 1fDEzq-0003lH-BO
	for qemu-devel@nongnu.org; Mon, 30 Apr 2018 16:02:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <marcel.apfelbaum@gmail.com>) id 1fDEzp-0005uV-IE
	for qemu-devel@nongnu.org; Mon, 30 Apr 2018 16:02:02 -0400
Received: from mail-wr0-x242.google.com ([2a00:1450:400c:c0c::242]:34813)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <marcel.apfelbaum@gmail.com>)
	id 1fDEzp-0005th-CA
	for qemu-devel@nongnu.org; Mon, 30 Apr 2018 16:02:01 -0400
Received: by mail-wr0-x242.google.com with SMTP id p18-v6so9135316wrm.1
	for <qemu-devel@nongnu.org>; Mon, 30 Apr 2018 13:02:01 -0700 (PDT)
Received: from localhost.localdomain ([176.228.154.53])
	by smtp.gmail.com with ESMTPSA id
	u35-v6sm8455997wrc.29.2018.04.30.13.01.58
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 30 Apr 2018 13:01:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=WP7YJheR7gZp/nLMkwzhujaIfzdejjDjBQNUIfkZrs0=;
	b=ZBhszrA4uviGYZoBW9/I97e9pOkG+gjT7OTIpOlWGiEi6dNTkETXvP427ZxQumjF0f
	Mda3VkiK5L4a3+k/Egu3SAhT7OZ69XR+paKq8DIYCk6v9w4LubWMgEW0B936jiNsiJRY
	F2XHTV5jgeYUP1noVoav9kgIDgX3Yd5rBFEtS7DhQKW8vnOFSpmUA1jy1qGiIPGf2QQm
	dxrGtpfZZ1qOTLJFYTQcEyr4HfwlivNXHGDqdJdTK72CEpdDPtRo+p0CD33+7ThCUHAZ
	dwhCaAS9lpBGMF7PYs1I4OvucLns3lnXDVld19Vw4rZIuhme7l0unexdMbF95sofxq03
	HlPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=WP7YJheR7gZp/nLMkwzhujaIfzdejjDjBQNUIfkZrs0=;
	b=bDkLEisQ+lF0cMjBAoy+dVAWUwTtUdjtqaQfRK+vSKK6RAMslthn1TYGN9+Jx+snIP
	yuvTN4Nt/gxKLChMSwRBiO8WOrKFo5fEDjGtF4wUtTaGsIyUjSgmf6arhe8B17E4s1wT
	X/sG6aw25Tzq8fBaUD+YLmecgTk7ZDOVr9lk3yQTUk/m58XVPYCLBCLnWbJe3z+NJ1eH
	JLIUYtM2/V2mpkKVM8chKNhlno/ZMkucJVvQTN24y9Xay4Rtfx2kNfkV5WWQBAo+hfgj
	92/O5GXOn/mDcLi4GU4zaFEL7gFiNxCmT4r03/KBnNSYF2CSNKViSvvKbga8LB909UaT
	6gbQ==
X-Gm-Message-State: ALQs6tBR1LkBzjKBdKsRJDIRiragCQmBZDM9s5rlEON1KNWRJN+Pg1Dx
	fDybuiQvtXaF/mRXqodxBK7CAg==
X-Google-Smtp-Source: 
 AB8JxZpwMuuMw94mJYD9IOB5ci2nlCI61lfqYBNnny1gngwXr+FoZ7IeIIGFr2I5sPA2dva31ltKmA==
X-Received: by 2002:adf:86ed:: with SMTP id
	42-v6mr10457050wry.158.1525118520056;
	Mon, 30 Apr 2018 13:02:00 -0700 (PDT)
From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
To: qemu-devel@nongnu.org
Date: Mon, 30 Apr 2018 23:02:21 +0300
Message-Id: <20180430200223.4119-6-marcel.apfelbaum@gmail.com>
X-Mailer: git-send-email 2.14.3
In-Reply-To: <20180430200223.4119-1-marcel.apfelbaum@gmail.com>
References: <20180430200223.4119-1-marcel.apfelbaum@gmail.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2a00:1450:400c:c0c::242
Subject: [Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access
 to regs array
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: peter.maydell@linaro.org, yuval.shaia@oracle.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZohoMail: RDKM_2  RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

From: Yuval Shaia <yuval.shaia@oracle.com>

Coverity (CID1390589, CID1390608).
Array size is RDMA_BAR1_REGS_SIZE, let's make sure the given address is
in range.

While there also:
1. Adjust the size of this bar to reasonable size
2. Report the size of the array with sizeof(array)

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/vmw/pvrdma.h      | 6 +++---
 hw/rdma/vmw/pvrdma_main.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/rdma/vmw/pvrdma.h b/hw/rdma/vmw/pvrdma.h
index 8c173cb824..0b46dc5a9b 100644
--- a/hw/rdma/vmw/pvrdma.h
+++ b/hw/rdma/vmw/pvrdma.h
@@ -31,7 +31,7 @@
 #define RDMA_REG_BAR_IDX     1
 #define RDMA_UAR_BAR_IDX     2
 #define RDMA_BAR0_MSIX_SIZE  (16 * 1024)
-#define RDMA_BAR1_REGS_SIZE  256
+#define RDMA_BAR1_REGS_SIZE  64
 #define RDMA_BAR2_UAR_SIZE   (0x1000 * MAX_UCS) /* each uc gets page */
=20
 /* MSIX */
@@ -86,7 +86,7 @@ static inline int get_reg_val(PVRDMADev *dev, hwaddr addr=
, uint32_t *val)
 {
     int idx =3D addr >> 2;
=20
-    if (idx > RDMA_BAR1_REGS_SIZE) {
+    if (idx >=3D RDMA_BAR1_REGS_SIZE) {
         return -EINVAL;
     }
=20
@@ -99,7 +99,7 @@ static inline int set_reg_val(PVRDMADev *dev, hwaddr addr=
, uint32_t val)
 {
     int idx =3D addr >> 2;
=20
-    if (idx > RDMA_BAR1_REGS_SIZE) {
+    if (idx >=3D RDMA_BAR1_REGS_SIZE) {
         return -EINVAL;
     }
=20
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 994220b58e..3ed7409763 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -449,14 +449,14 @@ static void init_bars(PCIDevice *pdev)
     /* BAR 1 - Registers */
     memset(&dev->regs_data, 0, sizeof(dev->regs_data));
     memory_region_init_io(&dev->regs, OBJECT(dev), &regs_ops, dev,
-                          "pvrdma-regs", RDMA_BAR1_REGS_SIZE);
+                          "pvrdma-regs", sizeof(dev->regs_data));
     pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
                      &dev->regs);
=20
     /* BAR 2 - UAR */
     memset(&dev->uar_data, 0, sizeof(dev->uar_data));
     memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar=
",
-                          RDMA_BAR2_UAR_SIZE);
+                          sizeof(dev->uar_data));
     pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
                      &dev->uar);
 }
--=20
2.14.3