All of lore.kernel.org
 help / color / mirror / Atom feed
From: Cornelia Huck <cohuck@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Collin Walling <walling@linux.ibm.com>,
	Janosch Frank <frankja@linux.ibm.com>,
	David Hildenbrand <david@redhat.com>,
	Cornelia Huck <cohuck@redhat.com>,
	qemu-devel@nongnu.org, qemu-s390x@nongnu.org,
	Thomas Huth <thuth@redhat.com>,
	Claudio Imbrenda <imbrenda@linux.ibm.com>
Subject: [PULL 05/19] s390/sclp: check sccb len before filling in data
Date: Fri,  2 Oct 2020 14:11:04 +0200	[thread overview]
Message-ID: <20201002121118.180315-6-cohuck@redhat.com> (raw)
In-Reply-To: <20201002121118.180315-1-cohuck@redhat.com>

From: Collin Walling <walling@linux.ibm.com>

The SCCB must be checked for a sufficient length before it is filled
with any data. If the length is insufficient, then the SCLP command
is suppressed and the proper response code is set in the SCCB header.

While we're at it, let's cleanup the length check by placing the
calculation inside a macro.

Fixes: 832be0d8a3bb ("s390x: sclp: Report insufficient SCCB length")
Signed-off-by: Collin Walling <walling@linux.ibm.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Message-Id: <20200915194416.107460-5-walling@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
 hw/s390x/sclp.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 4ae6fb400b40..0d54075309d5 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -78,6 +78,8 @@ static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int *count)
     }
 }
 
+#define SCCB_REQ_LEN(s, max_cpus) (sizeof(s) + max_cpus * sizeof(CPUEntry))
+
 /* Provide information about the configuration, CPUs and storage */
 static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 {
@@ -86,6 +88,12 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
     int cpu_count;
     int rnsize, rnmax;
     IplParameterBlock *ipib = s390_ipl_get_iplb();
+    int required_len = SCCB_REQ_LEN(ReadInfo, machine->possible_cpus->len);
+
+    if (be16_to_cpu(sccb->h.length) < required_len) {
+        sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
+        return;
+    }
 
     /* CPU information */
     prepare_cpu_entries(machine, read_info->entries, &cpu_count);
@@ -95,12 +103,6 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 
     read_info->ibc_val = cpu_to_be32(s390_get_ibc_val());
 
-    if (be16_to_cpu(sccb->h.length) <
-            (sizeof(ReadInfo) + cpu_count * sizeof(CPUEntry))) {
-        sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
-        return;
-    }
-
     /* Configuration Characteristic (Extension) */
     s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR,
                          read_info->conf_char);
@@ -146,18 +148,18 @@ static void sclp_read_cpu_info(SCLPDevice *sclp, SCCB *sccb)
     MachineState *machine = MACHINE(qdev_get_machine());
     ReadCpuInfo *cpu_info = (ReadCpuInfo *) sccb;
     int cpu_count;
+    int required_len = SCCB_REQ_LEN(ReadCpuInfo, machine->possible_cpus->len);
+
+    if (be16_to_cpu(sccb->h.length) < required_len) {
+        sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
+        return;
+    }
 
     prepare_cpu_entries(machine, cpu_info->entries, &cpu_count);
     cpu_info->nr_configured = cpu_to_be16(cpu_count);
     cpu_info->offset_configured = cpu_to_be16(offsetof(ReadCpuInfo, entries));
     cpu_info->nr_standby = cpu_to_be16(0);
 
-    if (be16_to_cpu(sccb->h.length) <
-            (sizeof(ReadCpuInfo) + cpu_count * sizeof(CPUEntry))) {
-        sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
-        return;
-    }
-
     /* The standby offset is 16-byte for each CPU */
     cpu_info->offset_standby = cpu_to_be16(cpu_info->offset_configured
         + cpu_info->nr_configured*sizeof(CPUEntry));
-- 
2.25.4



  parent reply	other threads:[~2020-10-02 12:18 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-02 12:10 [PULL 00/19] s390x changes Cornelia Huck
2020-10-02 12:11 ` [PULL 01/19] hw/s390x/css: Remove double initialization Cornelia Huck
2020-10-02 12:11 ` [PULL 02/19] s390/sclp: get machine once during read scp/cpu info Cornelia Huck
2020-10-02 12:11 ` [PULL 03/19] s390/sclp: rework sclp boundary checks Cornelia Huck
2020-10-02 12:11 ` [PULL 04/19] s390/sclp: read sccb from mem based on provided length Cornelia Huck
2020-10-02 12:11 ` Cornelia Huck [this message]
2020-10-02 12:11 ` [PULL 06/19] s390/sclp: use cpu offset to locate cpu entries Cornelia Huck
2020-10-02 12:11 ` [PULL 07/19] s390/sclp: add extended-length sccb support for kvm guest Cornelia Huck
2020-10-02 12:11 ` [PULL 08/19] s390: guest support for diagnose 0x318 Cornelia Huck
2020-10-02 12:11 ` [PULL 09/19] s390x/tcg: Implement MONITOR CALL Cornelia Huck
2020-10-02 12:11 ` [PULL 10/19] vfio-ccw: plug memory leak while getting region info Cornelia Huck
2020-10-02 12:11 ` [PULL 11/19] s390x/cpumodel: S390_FEAT_MISC_INSTRUCTION_EXT -> S390_FEAT_MISC_INSTRUCTION_EXT2 Cornelia Huck
2020-10-02 12:11 ` [PULL 12/19] s390x/tcg: Implement ADD HALFWORD (AGH) Cornelia Huck
2020-10-02 12:11 ` [PULL 13/19] s390x/tcg: Implement SUBTRACT HALFWORD (SGH) Cornelia Huck
2020-10-02 12:11 ` [PULL 14/19] s390x/tcg: Implement MULTIPLY (MG, MGRK) Cornelia Huck
2020-10-02 12:11 ` [PULL 15/19] s390x/tcg: Implement MULTIPLY HALFWORD (MGH) Cornelia Huck
2020-10-02 12:11 ` [PULL 16/19] s390x/tcg: Implement BRANCH INDIRECT ON CONDITION (BIC) Cornelia Huck
2020-10-02 12:11 ` [PULL 17/19] s390x/tcg: Implement MULTIPLY SINGLE (MSC, MSGC, MSGRKC, MSRKC) Cornelia Huck
2020-10-02 12:11 ` [PULL 18/19] s390x/tcg: We support Miscellaneous-Instruction-Extensions Facility 2 Cornelia Huck
2020-10-02 12:11 ` [PULL 19/19] s390x/tcg: Implement CIPHER MESSAGE WITH AUTHENTICATION (KMA) Cornelia Huck
2020-10-02 15:19 ` [PULL 00/19] s390x changes Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201002121118.180315-6-cohuck@redhat.com \
    --to=cohuck@redhat.com \
    --cc=david@redhat.com \
    --cc=frankja@linux.ibm.com \
    --cc=imbrenda@linux.ibm.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-s390x@nongnu.org \
    --cc=thuth@redhat.com \
    --cc=walling@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.