From nobody Sun Nov 24 11:27:01 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1722957220; cv=none; d=zohomail.com; s=zohoarc; b=AEPZYjfzCZJrFZ9s4wJhvtBWa89809kiA1A8D77B7g2OgDC45/KhQbv5yyh6h+r9WxadP2tKsbnG/FMFTvZW9teSQJ1I3VgQbLxRQVPC9bG8A2IhEsKoBs3djth1YVM5isgsEskJsRQjDdexcxu77oiKPKWkO0dLKC0ZCTAClY0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1722957220; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MgqUijDt5lCxtSfQBPWj/ozXTT40tlDp9fWeVzHLEqc=; b=IPTdgNDSohFdDfx9VR+FDBqM8UCbctTc9IaQ/6HFE/wtlysdV+B5RvNusq3Ct2ajNPaJFbGK4ycCTHNc3b0SSwYR3ZK3NUb2V5iCAIxK8dPUC/yA6pjF51DLlar951J0lAnfsz2+DSQrnVlxqPm0lFyl/EKsU6uBjztDTeHxZmM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1722957220949575.4008868622799; Tue, 6 Aug 2024 08:13:40 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sbLsW-0005J7-AZ; Tue, 06 Aug 2024 11:13:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sbLsU-0005Cd-Kz; Tue, 06 Aug 2024 11:13:34 -0400 Received: from mail-pf1-x431.google.com ([2607:f8b0:4864:20::431]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sbLsT-0003sH-0E; Tue, 06 Aug 2024 11:13:34 -0400 Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-70eaf5874ddso566814b3a.3; Tue, 06 Aug 2024 08:13:32 -0700 (PDT) Received: from wheely.local0.net ([1.145.149.136]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7106ece493esm7093067b3a.110.2024.08.06.08.13.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 08:13:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722957211; x=1723562011; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MgqUijDt5lCxtSfQBPWj/ozXTT40tlDp9fWeVzHLEqc=; b=QywTLnR7A65nV1blhO7bj4h0kTqX87SLETu54h5PtFMEvUMnlBTrnrh/wDIHthnw7s CYzbxDVCpieH2sKgh7Gw3zYmKhDlPgzjLMgPPK9YEVTqFMHm0ucBiVfG23XL9+aH9e7q FD7ileaGTfMXVBjw0PLLCG+FMWGbzmL0mSGil0m7/OsN1uzlwY0RrMOgOMniBZag1WuZ 7tHfCFD6/fWSPkx6i3q7x9fBxsOsEtVS6hAqKUT6YxF4t/fvzahCXPnPUchDf/yHkvwN ycCbNaVp0D7X4BCAzTk50RZrhaBLfAWsQARA5zX4CVgBpVVsKuZisNFaHSpct2w6iAld jJfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722957211; x=1723562011; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MgqUijDt5lCxtSfQBPWj/ozXTT40tlDp9fWeVzHLEqc=; b=EqSsK2eYMljK6OWNQvSNVmlVASAQ4MMaYHdcYnttt8WyyiMyRSLR8u0LgCFtd9KzeZ Yi0xutkVSASkeqnmW1JYdnb1ykHeWQcqKmseLF6GtgkVqZcNue/Kt9qFHXmH5pX3yHae Q49k6smc6ATlgj8N9D0jmHsEXlTYHPNQcC4E/PV4qAnkOl0MFnF+6iF3YFcQ5fzNYo4E e6lMDqatVUppO19SR/P4yTm5SykrttHT8epREcvhUKfWhDIPAnDOSojAZuGCZXWMh/tH pgL4yg5dAgpJc9s75ZAuehryAtlJTfuC+UOBiFk7STrtLRQLXoUOYbAWsfR/gwoGeB0u aung== X-Forwarded-Encrypted: i=1; AJvYcCWgrLg8JfD/EttVqqp0+oMAGvq6W83EsqO5tl0lGaaHcs6KpnaJ113UUJDV2YI01aMk/ykhfMvJIxIozAS68mqI2xBk6AA= X-Gm-Message-State: AOJu0Yxz6JlxcGE63OcVUFuteFzJZiAER7hFSQnqT03mb0wHbwaUcO+s wFozvulcSEqh/AvfPlZ/DkQj/YEy8DwUl4eCEaZkecffN/8seS+KfyOccg== X-Google-Smtp-Source: AGHT+IGf2njVI9r6HiWSsRGOOl695hF0GgAIXbvQtTwpOkrNMumP7aFMHfLxAENIfW/TBtU2kYobuQ== X-Received: by 2002:a05:6a00:22d6:b0:710:5825:5ba0 with SMTP id d2e1a72fcca58-7106cf8fc5dmr15956406b3a.3.1722957210583; Tue, 06 Aug 2024 08:13:30 -0700 (PDT) From: Nicholas Piggin To: qemu-ppc@nongnu.org Cc: Nicholas Piggin , qemu-devel@nongnu.org, =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Subject: [PATCH] ppc/pnv: ADU fix possible buffer overrun with invalid size Date: Wed, 7 Aug 2024 01:13:21 +1000 Message-ID: <20240806151322.284431-1-npiggin@gmail.com> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::431; envelope-from=npiggin@gmail.com; helo=mail-pf1-x431.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1722957221248116600 The ADU LPC transfer-size field is 7 bits, but the supported sizes for LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could overrun if firmware set an invalid size field, so add checks to reject them with a message. Reported-by: C=C3=A9dric Le Goater Resolves: Coverity CID 1558830 Fixes: 24bd283bccb33 ("ppc/pnv: Implement ADU access to LPC space") Signed-off-by: Nicholas Piggin Reviewed-by: C=C3=A9dric Le Goater --- hw/ppc/pnv_adu.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/ppc/pnv_adu.c b/hw/ppc/pnv_adu.c index 81b7d6e526..f636dedf79 100644 --- a/hw/ppc/pnv_adu.c +++ b/hw/ppc/pnv_adu.c @@ -116,6 +116,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr a= ddr, uint64_t val, uint32_t lpc_size =3D lpc_cmd_size(adu); uint64_t data =3D 0; =20 + if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) { + qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC acces= s " + "size:%" PRId32 "\n", lpc_s= ize); + break; + } + pnv_lpc_opb_read(adu->lpc, lpc_addr, (void *)&data, lpc_size); =20 /* @@ -135,6 +141,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr a= ddr, uint64_t val, uint32_t lpc_size =3D lpc_cmd_size(adu); uint64_t data; =20 + if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) { + qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC acces= s " + "size:%" PRId32 "\n", lpc_s= ize); + break; + } + data =3D cpu_to_be64(val) >> ((lpc_addr & 7) * 8); /* See abov= e */ pnv_lpc_opb_write(adu->lpc, lpc_addr, (void *)&data, lpc_size); } --=20 2.45.2