1. Patchew
  2. QEMU
  3. View series

[Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access

P J P posted 1 patch 7 years ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20181026123358.2554-1-ppandit@redhat.com
Test docker-clang@ubuntu passed
Test checkpatch passed
Test asan passed
Test docker-quick@centos7 passed
hw/ppc/pnv_lpc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
[Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access
Posted by P J P 7 years ago 
From: Prasad J Pandit <pjp@fedoraproject.org>

While performing PowerNV memory r/w operations, the access length
'sz' could exceed the data[4] buffer size. Add check to avoid OOB
access.

Reported-by: Moguofang <moguofang@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/ppc/pnv_lpc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Update v2: add error log message
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg05750.html

diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
index d7721320a2..172a915cfc 100644
--- a/hw/ppc/pnv_lpc.c
+++ b/hw/ppc/pnv_lpc.c
@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
     /* XXX Check for magic bits at the top, addr size etc... */
     unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
     uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
-    uint8_t data[4];
+    uint8_t data[8];
     bool success;
 
+    if (sz > sizeof(data)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+            "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
+        return;
+    }
+
     if (cmd & ECCB_CTL_READ) {
         success = opb_read(lpc, opb_addr, data, sz);
         if (success) {
-- 
2.17.2
Re: [Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access
Posted by Cédric Le Goater 7 years ago 
On 10/26/18 2:33 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing PowerNV memory r/w operations, the access length
> 'sz' could exceed the data[4] buffer size. Add check to avoid OOB
> access.
> 
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Reviewed-by: Cédric Le Goater <clg@kaod.org>

Thanks,

C.


> ---
>  hw/ppc/pnv_lpc.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> Update v2: add error log message
>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg05750.html
> 
> diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
> index d7721320a2..172a915cfc 100644
> --- a/hw/ppc/pnv_lpc.c
> +++ b/hw/ppc/pnv_lpc.c
> @@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
>      /* XXX Check for magic bits at the top, addr size etc... */
>      unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
>      uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
> -    uint8_t data[4];
> +    uint8_t data[8];
>      bool success;
>  
> +    if (sz > sizeof(data)) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +            "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
> +        return;
> +    }
> +
>      if (cmd & ECCB_CTL_READ) {
>          success = opb_read(lpc, opb_addr, data, sz);
>          if (success) {
>
Re: [Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access
Posted by David Gibson 7 years ago 
On Fri, Oct 26, 2018 at 06:03:58PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing PowerNV memory r/w operations, the access length
> 'sz' could exceed the data[4] buffer size. Add check to avoid OOB
> access.
> 
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Applied to ppc-for-3.1, thanks.

> ---
>  hw/ppc/pnv_lpc.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> Update v2: add error log message
>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg05750.html
> 
> diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
> index d7721320a2..172a915cfc 100644
> --- a/hw/ppc/pnv_lpc.c
> +++ b/hw/ppc/pnv_lpc.c
> @@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
>      /* XXX Check for magic bits at the top, addr size etc... */
>      unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
>      uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
> -    uint8_t data[4];
> +    uint8_t data[8];
>      bool success;
>  
> +    if (sz > sizeof(data)) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +            "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
> +        return;
> +    }
> +
>      if (cmd & ECCB_CTL_READ) {
>          success = opb_read(lpc, opb_addr, data, sz);
>          if (success) {

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson
Re: [Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access
Posted by Laurent Vivier 6 years, 12 months ago 
On 26/10/2018 14:33, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing PowerNV memory r/w operations, the access length
> 'sz' could exceed the data[4] buffer size. Add check to avoid OOB
> access.
> 
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/ppc/pnv_lpc.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> Update v2: add error log message
>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg05750.html
> 
> diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
> index d7721320a2..172a915cfc 100644
> --- a/hw/ppc/pnv_lpc.c
> +++ b/hw/ppc/pnv_lpc.c
> @@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
>      /* XXX Check for magic bits at the top, addr size etc... */
>      unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
>      uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
> -    uint8_t data[4];
> +    uint8_t data[8];
>      bool success;

I'm not sure 8 is enough.

ECCB_CTL_SZ_MASK is PPC_BITMASK(4, 7), and ECCB_CTL_SZ_LSH is (63 - 7).
So the bitmask is 4 bits wide, and thus sz can be 0 to 15.

I think data[] size should be 16.

Thanks,
Laurent
Re: [Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access
Posted by Cédric Le Goater 6 years, 12 months ago 
Hello Laurent,

On 11/8/18 10:10 AM, Laurent Vivier wrote:
> On 26/10/2018 14:33, P J P wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> While performing PowerNV memory r/w operations, the access length
>> 'sz' could exceed the data[4] buffer size. Add check to avoid OOB
>> access.
>>
>> Reported-by: Moguofang <moguofang@huawei.com>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>> ---
>>  hw/ppc/pnv_lpc.c | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> Update v2: add error log message
>>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg05750.html
>>
>> diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
>> index d7721320a2..172a915cfc 100644
>> --- a/hw/ppc/pnv_lpc.c
>> +++ b/hw/ppc/pnv_lpc.c
>> @@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
>>      /* XXX Check for magic bits at the top, addr size etc... */
>>      unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
>>      uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
>> -    uint8_t data[4];
>> +    uint8_t data[8];
>>      bool success;
> 
> I'm not sure 8 is enough.
> 
> ECCB_CTL_SZ_MASK is PPC_BITMASK(4, 7), and ECCB_CTL_SZ_LSH is (63 - 7).
> So the bitmask is 4 bits wide, and thus sz can be 0 to 15.
> I think data[] size should be 16.

The bitmask allows more that 8 but the specs says that 1, 2, 4, 8 are the 
possible value size. So We should be fine.

C.  

> 
> Thanks,
> Laurent
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.