From nobody Fri May 17 18:37:35 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1615806577; cv=none; d=zohomail.com; s=zohoarc; b=hg/+Ugl9RcR+RZP7nB7jUPMmEnVv+iYwgWsfgNbeGbKrdsmlktfaP6UXBe9qmssLisGH2OU/jwHE3PeX5PUcfwWPngGt2R85evbldlsjKO2xFQro1Fw4UgrXHcU49QU0zY2mJp6uN+tm0aL44fywY8xsyaI/tg7peWigh303V3s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615806577; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=lGPxTMZn8A6XF1MXAYyg7rGrO8x4Ph6lfkznHh5vIFI=; b=QsqEpwa1GP+sRwH8SQ0HiWyFX56pDI0+wu9RHfcPouzp93jWglH4midflX9hFWlVWe+xF0Q3P/SXEhJzXvLEjQO14AkkRsyi5+3kICpc9zqjO5XuJQXXycNU41G0r6dJgoJvGD6R9pGy/MYjUuUonQIhbamhBS3mtLZDLQp4KHk= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 161580657792314.159091057287469; Mon, 15 Mar 2021 04:09:37 -0700 (PDT) Received: from localhost ([::1]:48670 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLl6O-00064S-QS for importer@patchew.org; Mon, 15 Mar 2021 07:09:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59680) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLl1A-0004Fw-QC; Mon, 15 Mar 2021 07:04:12 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:48783) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLl17-0006RW-GX; Mon, 15 Mar 2021 07:04:12 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 2AF282199; Mon, 15 Mar 2021 07:04:04 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 15 Mar 2021 07:04:04 -0400 Received: from apples.local (80-167-98-190-cable.dk.customer.tdc.net [80.167.98.190]) by mail.messagingengine.com (Postfix) with ESMTPA id BFE2E24005B; Mon, 15 Mar 2021 07:04:02 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=fm2; bh=lGPxTMZn8A6XF 1MXAYyg7rGrO8x4Ph6lfkznHh5vIFI=; b=iJiEqo3h7em2r8JhttawUzqa/u5Qw 4fFWIgwj3QwTdmZkSD9YYxqfQgDkk1fQAnrIE8m32GzPStfztBIxMdL0ubgPXdS/ pMRTWY37awFOOVmrGlEKfSdTZyDr/Nm3Xn9fFlIkUzcZcfTZU4LeuUIa6pdroT9M slLGCBU2a0AS86EEtwtj4jbVfP7Ox3zaU/kH34Bg8ovVN4arvQMUB/uG6aQxzEIt 4lelOGCV24XvBH34rhmDs+EIBt6C/KkOaOZLzOGOeD3T+H/Q/iZySJ/77iakN/Cv dQV2055Vu5eal3+AbbGyqDQhFt5USoFORDwsqmA0zrn+PAIwlBdu6QPTg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=lGPxTMZn8A6XF1MXAYyg7rGrO8x4Ph6lfkznHh5vIFI=; b=QEtOwdFH RBFkK4e5t+BR1tRT/EyfDuyBFb8GdPPRnNW4SXkMsto1UaTGdheGlTRzMLk6GBOJ hemNhGg4mxQUuZ+zIfcdjfEMEMmlER65UvKmz9bO8FQ2ZztEHdKxugqEjClIEdKa fHt/SIS+L7COgFs1fX65M3DA+QjsXzS7Q0ZqczLvokAIILcVhJbZpyZ/Ytu2NI5w bwHKR7GaazIGkl2VdjPmOcdRzhxDhfB84KjBwUT/M0l9HYWi/nyGanem4I0WmeP9 mLXGrwhTcCbUcNxcZ6+7+jRYgoJBIObR5oG3GZWSfFPu5TlKFRvFbaAhp/gbNLQa 9+ud7qdguv8qCw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvledgvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeeuleetgeeiuefhgfekfefgveejiefgteekiedtgfdtieefhfdthfefueffvefg keenucfkphepkedtrdduieejrdelkedrudeltdenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehithhssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: From: Klaus Jensen To: qemu-devel@nongnu.org Subject: [PATCH 1/2] hw/block/nvme: fix potential overflow Date: Mon, 15 Mar 2021 12:03:58 +0100 Message-Id: <20210315110359.51450-2-its@irrelevant.dk> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210315110359.51450-1-its@irrelevant.dk> References: <20210315110359.51450-1-its@irrelevant.dk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk; helo=wout3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-block@nongnu.org, Klaus Jensen , Max Reitz , Keith Busch , Klaus Jensen Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Klaus Jensen page_size is a uint32_t, and zasl is a uint8_t, so the expression `page_size << zasl` is done using 32-bit arithmetic and might overflow. Since we then compare this against a 64 bit data_size value, Coverity complains that we might overflow unintentionally. An MDTS/ZASL value in excess of 4GiB is probably impractical, but it is not entirely unrealistic, so add a cast such that we handle that case properly. Fixes: 578d914b263c ("hw/block/nvme: align zoned.zasl with mdts") Fixes: CID 1450756 Signed-off-by: Klaus Jensen --- hw/block/nvme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index d439e44db839..f8ad34077000 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -2188,7 +2188,7 @@ static uint16_t nvme_do_write(NvmeCtrl *n, NvmeReques= t *req, bool append, goto invalid; } =20 - if (n->params.zasl && data_size > n->page_size << n->params.za= sl) { + if (n->params.zasl && data_size > (uint64_t)n->page_size << n-= >params.zasl) { trace_pci_nvme_err_zasl(data_size); return NVME_INVALID_FIELD | NVME_DNR; } --=20 2.30.1 From nobody Fri May 17 18:37:35 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1615806598; cv=none; d=zohomail.com; s=zohoarc; b=Cjha6/594nijqrybcejkMKwdrMIYncQDFl9aCcEHfFwBKcw3qN6EOc4VwJGT3SurOJHT2ReLRjoexO3Hb0+SneTsaZaehH62/HcZxIPE7VhhHsAEOmBuhuypH9haR2sAVmgzVsUyeHuCe0XYRSq8epAHadPTY8VMFLB8xHQ54vg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615806598; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9bFIGAxC9x0K0ekqCHhtYXq2mJe+Ab86YxnH+er/auE=; b=XqZzP6fEIlu8AhnYgYS/rGTUwgpcTI9t9RZ8EbvsDo6DoXDF+61BCL36N4sefhiW1bmXlAQ/RIoRABr+CoDN8CH0CavzI8bEHG7aN0rPjM5rjtr14dLFRXadRmTS5p8KQ1DHThycP4eqmDEPyodsIqZ+b6Wlf7OoxuczN3UBd3Y= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1615806598492243.32020873862336; Mon, 15 Mar 2021 04:09:58 -0700 (PDT) Received: from localhost ([::1]:49166 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLl6j-0006IG-CR for importer@patchew.org; Mon, 15 Mar 2021 07:09:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59670) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLl19-0004ET-LI; Mon, 15 Mar 2021 07:04:11 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:60677) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLl17-0006Sk-Gd; Mon, 15 Mar 2021 07:04:11 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 7D1942364; Mon, 15 Mar 2021 07:04:05 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 15 Mar 2021 07:04:06 -0400 Received: from apples.local (80-167-98-190-cable.dk.customer.tdc.net [80.167.98.190]) by mail.messagingengine.com (Postfix) with ESMTPA id EB182240068; Mon, 15 Mar 2021 07:04:03 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=fm2; bh=9bFIGAxC9x0K0 ekqCHhtYXq2mJe+Ab86YxnH+er/auE=; b=3C5Q6z3H984CsuQYNG3kB2JadKOqJ WQC04NqiR9W8+BujNx0+/biVntk7Sy9RNapvHBBDfELJ/pW798KiAnQ/SoPcHF9X aBmhDcyk3RiPydPJ2XTprA0e5bhiFffwOrEllUbnoj1XQBDR7uCXj7BjmwfRE+p9 ptGUN2+0+RUvExkFluMZU6YgJOH0hm4PuChEYSjtMALgYaMQI2WCty6+eg4Aojgj TJjIT/JDXPnpiSJKHO6yuln5Un+X3L4EfA50Jxb9EYUdM1+NUVjZbdcGkBpt39CG /HMyxl0X/6rqG4xePoFsb9AH88XnmX1n+wSwf9nrGktdpeYwudOX+vVng== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=9bFIGAxC9x0K0ekqCHhtYXq2mJe+Ab86YxnH+er/auE=; b=T8tlDmEB aglhZmWyLhGgQ3V/Qxw0hGapOdth4IekddtFih1kIdzYo6fBsC5u+OCKK4VvJmMY cOo0jIdAzxaINJwPpfcYluX84svheZ4obf1jvAuAwhvZKbR2ACHvq1niBCO62Dkr L8OESQR8OEmwOlZejO7sAeAVoeWW0aqDe5BfiPwon3T3IhViLlgTRT0mNlNBcoqP rPEJNVbqI7TxUBS1cGOWFo44bDto8lp5TYLEfGLKXvq5lN9xe+993g0lpmTPpmEg bmXelWamscxTXetNiZ8sezgLCoGFv2bRmRRqWUfcC1obwWg5U59TtoBrk2oCVqvi VoM2qL3L5m/mnA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvledgvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeeuleetgeeiuefhgfekfefgveejiefgteekiedtgfdtieefhfdthfefueffvefg keenucfkphepkedtrdduieejrdelkedrudeltdenucevlhhushhtvghrufhiiigvpedune curfgrrhgrmhepmhgrihhlfhhrohhmpehithhssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: From: Klaus Jensen To: qemu-devel@nongnu.org Subject: [PATCH 2/2] hw/block/nvme: assert namespaces array indices Date: Mon, 15 Mar 2021 12:03:59 +0100 Message-Id: <20210315110359.51450-3-its@irrelevant.dk> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210315110359.51450-1-its@irrelevant.dk> References: <20210315110359.51450-1-its@irrelevant.dk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk; helo=wout3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-block@nongnu.org, Klaus Jensen , Max Reitz , Keith Busch , Minwoo Im , Klaus Jensen Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Klaus Jensen Coverity complains about a possible memory corruption in the nvme_ns_attach and _detach functions. While we should not (famous last words) be able to reach this function without nsid having previously been validated, this is still an open door for future misuse. Make Coverity and maintainers happy by asserting that the index into the array is valid. Also, while not detected by Coverity (yet), add an assert in nvme_subsys_ns and nvme_subsys_register_ns as well since a similar issue is exists there. Fixes: 037953b5b299 ("hw/block/nvme: support namespace detach") Fixes: CID 1450757 Fixes: CID 1450758 Cc: Minwoo Im Signed-off-by: Klaus Jensen Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/block/nvme-subsys.h | 2 ++ hw/block/nvme.h | 10 ++++++++-- hw/block/nvme-subsys.c | 7 +++++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h index fb66ae752ad5..aafa04b84829 100644 --- a/hw/block/nvme-subsys.h +++ b/hw/block/nvme-subsys.h @@ -54,6 +54,8 @@ static inline NvmeNamespace *nvme_subsys_ns(NvmeSubsystem= *subsys, return NULL; } =20 + assert(nsid && nsid <=3D NVME_SUBSYS_MAX_NAMESPACES); + return subsys->namespaces[nsid]; } =20 diff --git a/hw/block/nvme.h b/hw/block/nvme.h index 4955d649c7d4..45ba9dbc2131 100644 --- a/hw/block/nvme.h +++ b/hw/block/nvme.h @@ -236,12 +236,18 @@ static inline bool nvme_ns_is_attached(NvmeCtrl *n, N= vmeNamespace *ns) =20 static inline void nvme_ns_attach(NvmeCtrl *n, NvmeNamespace *ns) { - n->namespaces[nvme_nsid(ns) - 1] =3D ns; + uint32_t nsid =3D ns->params.nsid; + assert(nsid && nsid <=3D NVME_MAX_NAMESPACES); + + n->namespaces[nsid - 1] =3D ns; } =20 static inline void nvme_ns_detach(NvmeCtrl *n, NvmeNamespace *ns) { - n->namespaces[nvme_nsid(ns) - 1] =3D NULL; + uint32_t nsid =3D ns->params.nsid; + assert(nsid && nsid <=3D NVME_MAX_NAMESPACES); + + n->namespaces[nsid - 1] =3D NULL; } =20 static inline NvmeCQueue *nvme_cq(NvmeRequest *req) diff --git a/hw/block/nvme-subsys.c b/hw/block/nvme-subsys.c index af4804a819ee..2f6d3b47bacf 100644 --- a/hw/block/nvme-subsys.c +++ b/hw/block/nvme-subsys.c @@ -47,15 +47,18 @@ int nvme_subsys_register_ns(NvmeNamespace *ns, Error **= errp) { NvmeSubsystem *subsys =3D ns->subsys; NvmeCtrl *n; + uint32_t nsid =3D ns->params.nsid; int i; =20 - if (subsys->namespaces[nvme_nsid(ns)]) { + assert(nsid && nsid <=3D NVME_SUBSYS_MAX_NAMESPACES); + + if (subsys->namespaces[nsid]) { error_setg(errp, "namespace %d already registerd to subsy %s", nvme_nsid(ns), subsys->parent_obj.id); return -1; } =20 - subsys->namespaces[nvme_nsid(ns)] =3D ns; + subsys->namespaces[nsid] =3D ns; =20 for (i =3D 0; i < ARRAY_SIZE(subsys->ctrls); i++) { n =3D subsys->ctrls[i]; --=20 2.30.1