From nobody Thu Oct 30 05:35:59 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=gmail.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1525371878437884.480004406003; Thu, 3 May 2018 11:24:38 -0700 (PDT) Received: from localhost ([::1]:58183 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fEIuD-0004yr-MZ for importer@patchew.org; Thu, 03 May 2018 14:24:37 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53276) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fEIqa-00026b-Co for qemu-devel@nongnu.org; Thu, 03 May 2018 14:20:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fEIqZ-0008Ik-GR for qemu-devel@nongnu.org; Thu, 03 May 2018 14:20:52 -0400 Received: from mail-wm0-x244.google.com ([2a00:1450:400c:c09::244]:50515) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fEIqZ-0008IR-8r for qemu-devel@nongnu.org; Thu, 03 May 2018 14:20:51 -0400 Received: by mail-wm0-x244.google.com with SMTP id t11so472516wmt.0 for ; Thu, 03 May 2018 11:20:51 -0700 (PDT) Received: from localhost.localdomain ([176.228.154.53]) by smtp.gmail.com with ESMTPSA id w40-v6sm24388801wrc.69.2018.05.03.11.20.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 03 May 2018 11:20:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Hyhu6citdCNPRYB6GhDOJAKdS0hxTnhYsC9qUIqAThI=; b=QZHU3RHTG0HlFnAK0MF3rgYJFKrq0u/Bg+07N+a0bowRRGYZRFIhLqLW9pgCKB7Rc6 /kFYGzdGfYPAALZUW0SyfrqDyjycOL62nymPjizC2ytkKYcGo1ygVkdcL+w3DXQGE7U+ wTsGc/yiCa2atDw7dyftfB1F6QF88vww5R8/uMmnfdQdl/JUY8MxX1vPFpQoMLsDqNUQ UMwVPNJ3qGCKN2vlaq12mXkBemZFeELxuoSfgaduLoQbJZxcIyvmiY5W0TUOuf7UHzz3 8aMBCFuRM+p46cf0buW1ldQ2XLdvbnx3BBRwIzlTyphKcGovW+5PJA91TppjfeZxYsF3 6ReA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Hyhu6citdCNPRYB6GhDOJAKdS0hxTnhYsC9qUIqAThI=; b=qAptOubPHB+f/7mxTxW7D0ezme6XaFJ9tC9qVjOeAIAsbfVaB2SILL68EbEdkhqrM3 BVWz7sWFmDO7c1/gvMvDzCdQ1YrvqptLQau0t2HD2P+NjDAvcFIcxWD9HjPThAaLasRQ A36SqZ02qRqmnWmIsrVHZllzrmUAewc55PxSN/7o3LzDhNrofhJAzPYnMVKbVOj1AgEz dPnn/vNXZbB3an599hSdnTiSXZH+vm+eUG+PKMI/ImMqCVPqGtNHeTp/tD0nFEJh6NY7 yEOQhj6GFy2/1QrRWRk9pxTYVy00FCOv7Lzb5l4dSPFX6ByHVGgrGIxpbizOmYD0gZ8X 6dLg== X-Gm-Message-State: ALQs6tAs2ZZrLn6/PUK6lpq8Y8MSAGE729nB143KsQSiaTLhrTiIfjIs Gjb53+yQquCu0DBvAokEEk4IBw== X-Google-Smtp-Source: AB8JxZpXMUVo/s2hNQE4O7jX6SAJjKbWCyVHJXxqSdfEhvJCsfFGqSU5RPeZM95EoDwNoiUcRZD0mA== X-Received: by 10.28.1.1 with SMTP id 1mr15943934wmb.28.1525371649846; Thu, 03 May 2018 11:20:49 -0700 (PDT) From: Marcel Apfelbaum To: qemu-devel@nongnu.org Date: Thu, 3 May 2018 21:21:21 +0300 Message-Id: <20180503182125.20310-5-marcel.apfelbaum@gmail.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180503182125.20310-1-marcel.apfelbaum@gmail.com> References: <20180503182125.20310-1-marcel.apfelbaum@gmail.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c09::244 Subject: [Qemu-devel] [PULL 4/8] hw/rdma: Fix possible out of bounds access to GID table X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, yuval.shaia@oracle.com, f4bug@amsat.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Yuval Shaia Array size is MAX_PORT_GIDS, let's make sure the given index is in range. While there limit device table size to 1. Reported-by: Peter Maydell Signed-off-by: Yuval Shaia Reviewed-by: Marcel Apfelbaum Message-Id: <20180430200223.4119-5-marcel.apfelbaum@gmail.com> --- hw/rdma/rdma_rm_defs.h | 2 +- hw/rdma/vmw/pvrdma_cmd.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h index 45503f14e0..4d22a20e4c 100644 --- a/hw/rdma/rdma_rm_defs.h +++ b/hw/rdma/rdma_rm_defs.h @@ -20,9 +20,9 @@ =20 #define MAX_PORTS 1 #define MAX_PORT_GIDS 1 +#define MAX_GIDS MAX_PORT_GIDS #define MAX_PORT_PKEYS 1 #define MAX_PKEYS MAX_PORT_PKEYS -#define MAX_GIDS 2048 #define MAX_UCS 512 #define MAX_MR_SIZE (1UL << 27) #define MAX_QP 1024 diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index f9dd78cb27..14255d609f 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd= _req *req, =20 pr_dbg("index=3D%d\n", cmd->index); =20 - if (cmd->index > MAX_PORT_GIDS) { + if (cmd->index >=3D MAX_PORT_GIDS) { return -EINVAL; } =20 @@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union pvrdma_c= md_req *req, { struct pvrdma_cmd_destroy_bind *cmd =3D &req->destroy_bind; =20 - pr_dbg("clear index %d\n", cmd->index); + pr_dbg("index=3D%d\n", cmd->index); + + if (cmd->index >=3D MAX_PORT_GIDS) { + return -EINVAL; + } =20 memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0, sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw)); --=20 2.14.3