qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Peter Maydell <peter.maydell@linaro.org>
To: minyard@acm.org
Cc: "QEMU Developers" <qemu-devel@nongnu.org>,
	"Michael S . Tsirkin" <mst@redhat.com>,
	"Igor Mammedov" <imammedo@redhat.com>,
	"M : Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
	"David Gibson" <david@gibson.dropbear.id.au>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>
Subject: Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
Date: Fri, 29 Jul 2022 16:34:44 +0100	[thread overview]
Message-ID: <CAFEAcA_Akt5mszq=B8FZoyfBNZ=MYNfZoL7p+T0QaWJgpqAAgA@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA88GqrqoENf8NHxeNgTjj-jutz8Kspk43L1gp_VJJdh+Q@mail.gmail.com>

On Tue, 28 Jun 2022 at 17:21, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Thu, 19 Sept 2019 at 22:39, <minyard@acm.org> wrote:
> >
> > From: Corey Minyard <cminyard@mvista.com>
> >
> > Signed-off-by: Corey Minyard <cminyard@mvista.com>
> > ---
>
> Very old patch, but Coverity has decided it doesn't like something
> in this function that's still basically the same in the current codebase
> (CID 1487146):

Ping ?

> > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> > +{
> > +    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> > +    bool send = false;
> > +    uint8_t cmd;
> > +    int ret = 0;
> > +
> > +    /* length is guaranteed to be >= 1. */
> > +    cmd = *buf++;
> > +    len--;
> > +
> > +    /* Handle read request, which don't have any data in the write part. */
> > +    switch (cmd) {
> > +    case SSIF_IPMI_RESPONSE:
> > +        sid->currblk = 0;
> > +        ret = ipmi_load_readbuf(sid);
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> > +        sid->currblk++;
> > +        ret = ipmi_load_readbuf(sid);
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_RETRY:
> > +        if (len >= 1) {
> > +            sid->currblk = buf[0];
> > +            ret = ipmi_load_readbuf(sid);
> > +        } else {
> > +            ret = -1;
> > +        }
> > +        break;
> > +
> > +    default:
> > +        break;
> > +    }
> > +
> > +    /* This should be a message write, make the length is there and correct. */
> > +    if (len >= 1) {
> > +        if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> > +            return -1; /* Bogus message */
> > +        }
> > +        buf++;
> > +        len--;
> > +    }
>
> After all of this preamble, len can be zero...
>
> > +
> > +    switch (cmd) {
> > +    case SSIF_IPMI_REQUEST:
> > +        send = true;
> > +        /* FALLTHRU */
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_START:
> > +        if (len < 2) {
> > +            return -1; /* Bogus. */
> > +        }
> > +        memcpy(sid->inmsg, buf, len);
> > +        sid->inlen = len;
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_END:
> > +        send = true;
> > +        /* FALLTHRU */
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> > +        if (!sid->inlen) {
> > +            return -1; /* Bogus. */
> > +        }
> > +        if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> > +            sid->inlen = 0; /* Discard the message. */
> > +            return -1; /* Bogus. */
> > +        }
>
> ...this error checking on the values of the 'middle' request
> means that after one 'middle' request we can end up with
> sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
> entire sid->inmsg[] array).
>
> But then if we get another 'middle' request with len == 0,
> that will pass this error checking because (sid->inlen + len == MSG_SIZE)
> and fall through into...
>
> > +        if (len < 32) {
> > +            /*
> > +             * Special hack, a multi-part middle that is less than 32 bytes
> > +             * marks the end of a message.  The specification is fairly
> > +             * confusing, so some systems to this, even sending a zero
> > +             * length end message to mark the end.
> > +             */
> > +            send = true;
> > +        }
> > +        memcpy(sid->inmsg + sid->inlen, buf, len);
>
> ...calling memcpy() with argument 1 being a pointer that points
> one past the end of the array. Even though len will be 0 and
> we won't memcpy() anything, this is (depending on how you choose
> to intepret things the C standard doesn't come right out and state
> explicitly) undefined behaviour, because memcpy() wants to be passed
> valid pointers, even if you ask it to do no work with a zero len.
>
> This isn't going to be a visible bug in practical terms, but it would
> make Coverity happy if we either (a) rejected a request with an empty
> length or else (b) skipped the memcpy(). I don't know enough about
> IPMI to know which is better.

thanks
-- PMM


  reply	other threads:[~2022-07-29 15:38 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-19 21:39 [PATCH 00/15] ipmi: Bug fixes, add new interfaces minyard
2019-09-19 21:39 ` [PATCH 01/15] ipmi: Fix watchdog NMI handling minyard
2019-09-20 15:45   ` Cédric Le Goater
2019-09-19 21:39 ` [PATCH 02/15] ipmi: Fix the get watchdog command minyard
2019-09-20 15:50   ` Cédric Le Goater
2019-09-19 21:39 ` [PATCH 03/15] ipmi: Generate an interrupt on watchdog pretimeout expiry minyard
2019-09-23  5:41   ` Cédric Le Goater
2019-09-19 21:39 ` [PATCH 04/15] tests:ipmi: Fix IPMI BT tests minyard
2019-09-19 21:39 ` [PATCH 05/15] qdev: Add a no default uuid property minyard
2019-09-23  5:47   ` Cédric Le Goater
2019-09-19 21:39 ` [PATCH 06/15] ipmi: Add a UUID device property minyard
2019-09-23  5:51   ` Cédric Le Goater
2019-09-19 21:39 ` [PATCH 07/15] ipmi: Split out KCS-specific code from ISA KCS code minyard
2019-09-19 21:39 ` [PATCH 08/15] ipmi: Split out BT-specific code from ISA BT code minyard
2019-09-19 21:39 ` [PATCH 09/15] ipmi: Allow a size value to be passed for I/O space minyard
2019-09-19 21:39 ` [PATCH 10/15] smbios:ipmi: Ignore IPMI devices with no fwinfo function minyard
2019-09-19 21:39 ` [PATCH 11/15] ipmi: Add PCI IPMI interfaces minyard
2019-09-19 21:39 ` [PATCH 12/15] ipmi: Add an SMBus IPMI interface minyard
2022-06-28 16:21   ` Peter Maydell
2022-07-29 15:34     ` Peter Maydell [this message]
2022-07-29 15:56     ` Corey Minyard
2022-07-29 16:01       ` Peter Maydell
2019-09-19 21:39 ` [PATCH 13/15] acpi: Add i2c serial bus CRS handling minyard
2019-09-19 21:39 ` [PATCH 14/15] ipmi: Fix SSIF ACPI handling to use the right CRS minyard
2019-09-19 21:39 ` [PATCH 15/15] pc: Add an SMB0 ACPI device to q35 minyard
2019-09-20 11:43 ` [PATCH 00/15] ipmi: Bug fixes, add new interfaces Paolo Bonzini
2019-09-20 12:19   ` Corey Minyard
2019-09-20 12:57 ` Peter Maydell
2019-09-20 17:36   ` Corey Minyard
2019-09-20 17:51     ` Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAFEAcA_Akt5mszq=B8FZoyfBNZ=MYNfZoL7p+T0QaWJgpqAAgA@mail.gmail.com' \
    --to=peter.maydell@linaro.org \
    --cc=david@gibson.dropbear.id.au \
    --cc=imammedo@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=marcel.apfelbaum@gmail.com \
    --cc=minyard@acm.org \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).