From nobody Sat Nov 23 22:25:55 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1730679774; cv=none; d=zohomail.com; s=zohoarc; b=Ovfz2hoBKQlfaatmmY3T4SqZtJJ9CftpRX8gLbnLF4S9mtYVeevJldiclYcCGHAfMEScJ51oYi6P6MjuYKZ+Ot5TSOLE0tsESJ3SwEeDG3resIWBnDi/7UTHUYJwTboW9UVayT6VnaA/fkl+nUoJyzlUbAcmsVysRa70bcNi/r4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730679774; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=J6g3+OIAh+PgGQYF5KfEAWhRtddu1l04lD2/5ytpiIU=; b=EGMaudDhDdeBdZIfMx2ec9ruskIWrGFDj1Ptt8k6pyf7F7oeRBisYmvUEUrLN6iWz+jUOqSVuerxTg7S3O1mHJh3kyj3SmXVM5Kj2hjKfBavPSjr7q6gL9nmnK4dbf6HgKZdvccrpiWszQCTPzm5CTWR9u8+bGaYxZ4fXx8VZ7A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730679774588734.9150242815853; Sun, 3 Nov 2024 16:22:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t7kp0-0007He-Al; Sun, 03 Nov 2024 19:19:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t7kox-0007Dc-Ow; Sun, 03 Nov 2024 19:19:51 -0500 Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t7kow-0002J8-7a; Sun, 03 Nov 2024 19:19:51 -0500 Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-720e94d36c8so635865b3a.1; Sun, 03 Nov 2024 16:19:49 -0800 (PST) Received: from wheely.local0.net (124-171-217-17.tpgi.com.au. [124.171.217.17]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7ee45a0081esm5900648a12.59.2024.11.03.16.19.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 Nov 2024 16:19:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730679588; x=1731284388; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=J6g3+OIAh+PgGQYF5KfEAWhRtddu1l04lD2/5ytpiIU=; b=eMpcGYm0rBWie635C9dNeBPIISQ7zLqdushKQeY31HpWl3ftDZhWHLREeiMm3Nf+0g lKVD3XQpCagaWVDMW/ln5Pzj8WrJxRP7R7b+lw2VGz2HoRzfNBiBq0K0nVPyOnH8Jq6h /qxza2OgWvtuY80UHiJzmDNsHd6z7g6sx3j/BJv52kwGn4KddXs4ql/c66k+5zCNG+9r baR46Bp2b/BlWTo3fi99SAcxnLloKC9lLNVPbV+ngExgot03Y3QC0ZWobsyMhT9jrpX8 9cy/38UZ3Q0BKBDMaFXsKi2PBZAv8SbDvVqd1krom2ulp2p9Ye9Po+huMCB52zhqInKP P4zQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730679588; x=1731284388; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J6g3+OIAh+PgGQYF5KfEAWhRtddu1l04lD2/5ytpiIU=; b=lLiZ1r6Dhn/a7tVzwmv1mmjhMEXPzQIqt8lwoRQeS1h4M/R2eBSQHm2rrn2zV4em25 DgD+LOaAWQqsGPYJ1/R8duvU+YEeDWTH2dHIZTgOUEbdHeE5m1Ze5ErHxj4gdu75FoCA Apvnrz/jRZBGNRhx+hpqPRz6FYsKT4jv0wRKyu4xLgERXyrspGu/Hag+mEE6h2Ivtn4L pBN0CMMnsqTwS8/yy7GiiCpBizZiCAgeiapxFirU9m81w2Txj7DOTIQ/uL+uLXECclb1 FI5yHDuEFqZmUv5nTcfQdGVsVcmawgyVh5kmjp3V7T8/A/Nfec36VVUDGJf2PpGNg1c1 oBWg== X-Forwarded-Encrypted: i=1; AJvYcCUFSp89Fbtjy7jdM4V+OnBHzDn7ninO6ygfpVlwR+6gwIVGG+nKJeQ6A5K9MJDjoUQCREDZGOYjgA==@nongnu.org, AJvYcCV9nxLJmcdwKrJnpbPvOzZCQ6DXYYbzVQMgduaa1mR850n9RQ4hsQQQjJRlZ5/whGcK4niQKUgOcUo/EYg=@nongnu.org X-Gm-Message-State: AOJu0YyNxPJf8jHKWCsWfgkhsdW1h0DG+S4OHMlW++7zAVKUuD4oOh7L CMqL9UNOGfNU38NsOJotWaQpsIFwbgPpcMUR8H2Q+REk9rxZtMpbui2Wqw== X-Google-Smtp-Source: AGHT+IEW4g0BjDK8+LUYHDNNgIMaUw8Y2VXNoJ507p2NlP9/6oCFG05PviGm/g1OFFMgy+ZTJj3kPg== X-Received: by 2002:a05:6a21:3296:b0:1db:d736:9429 with SMTP id adf61e73a8af0-1dbd736943amr3793070637.4.1730679587721; Sun, 03 Nov 2024 16:19:47 -0800 (PST) From: Nicholas Piggin To: qemu-devel@nongnu.org Cc: Nicholas Piggin , qemu-ppc@nongnu.org, qemu-stable@nongnu.org, =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Subject: [PULL 10/67] ppc/pnv: ADU fix possible buffer overrun with invalid size Date: Mon, 4 Nov 2024 10:17:59 +1000 Message-ID: <20241104001900.682660-11-npiggin@gmail.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241104001900.682660-1-npiggin@gmail.com> References: <20241104001900.682660-1-npiggin@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::435; envelope-from=npiggin@gmail.com; helo=mail-pf1-x435.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1730679775413116600 The ADU LPC transfer-size field is 7 bits, but the supported sizes for LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could overrun if firmware set an invalid size field, so add checks to reject them with a message. Cc: qemu-stable@nongnu.org Reported-by: C=C3=A9dric Le Goater Resolves: Coverity CID 1558830 Fixes: 24bd283bccb33 ("ppc/pnv: Implement ADU access to LPC space") Reviewed-by: C=C3=A9dric Le Goater Signed-off-by: Nicholas Piggin --- hw/ppc/pnv_adu.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/ppc/pnv_adu.c b/hw/ppc/pnv_adu.c index 81b7d6e526..f636dedf79 100644 --- a/hw/ppc/pnv_adu.c +++ b/hw/ppc/pnv_adu.c @@ -116,6 +116,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr a= ddr, uint64_t val, uint32_t lpc_size =3D lpc_cmd_size(adu); uint64_t data =3D 0; =20 + if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) { + qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC acces= s " + "size:%" PRId32 "\n", lpc_s= ize); + break; + } + pnv_lpc_opb_read(adu->lpc, lpc_addr, (void *)&data, lpc_size); =20 /* @@ -135,6 +141,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr a= ddr, uint64_t val, uint32_t lpc_size =3D lpc_cmd_size(adu); uint64_t data; =20 + if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) { + qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC acces= s " + "size:%" PRId32 "\n", lpc_s= ize); + break; + } + data =3D cpu_to_be64(val) >> ((lpc_addr & 7) * 8); /* See abov= e */ pnv_lpc_opb_write(adu->lpc, lpc_addr, (void *)&data, lpc_size); } --=20 2.45.2