From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 58A5EC433EF for ; Sun, 20 Mar 2022 11:44:17 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DF1CC83B0B; Sun, 20 Mar 2022 12:43:37 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="VZ5M1uCe"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3F05883AE2; Sun, 20 Mar 2022 12:42:03 +0100 (CET) Received: from mail-wm1-x349.google.com (mail-wm1-x349.google.com [IPv6:2a00:1450:4864:20::349]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id CDE6583AE6 for ; Sun, 20 Mar 2022 12:41:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3BhM3YgYKBiE7P9RIIDLLDIB.9LJR-8LLQIFPQP.ABKU.AB@flex--ascull.bounces.google.com Received: by mail-wm1-x349.google.com with SMTP id i127-20020a1c3b85000000b0038c9c48f1e7so1159996wma.2 for ; Sun, 20 Mar 2022 04:41:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=AzwhPY2inbiR6S+pW2XJ/R6oOfUL7aU7fsOpEFwxYd0=; b=VZ5M1uCe0Ne9JAvEvUpn6yNYXPDYVsiKMt0ni/8toW1J2qoZ7MHHJKbqBMCtE6QxOg X3y2nmgEskZPZytdlAOFGW8AGJ/3luKrza70fx8fynkMBeEzYTegPjiN5Qw5qFJvYWNc S8XU5LASyo0gB7cfSR63R2RIIpXYsOwHAlEjfi6w/daXdf0t6YzXHXgL7qKUqzWNh2fG mX3Isyz9dU6qaVPIZNK4H30b5tXRIFw9eE8L8jFVykBuK1hupSJBzPHEFDcDqeH+g7f3 0oCzKgp9FXxVo2ErNkgzttzdntDjzg0LjlNoNK8jZoq2euE4xkWKkBSR9rkuK5N2LMiz WvJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=AzwhPY2inbiR6S+pW2XJ/R6oOfUL7aU7fsOpEFwxYd0=; b=BNsHVebv46fvGKZN5ZmcQ/hFKAZrmYy+QVYxiYhI/sl72EO9IX2iY6OYX79uUAtH/d SJp1gTPxdY42BWKjM9s58yipNGLj2EZ61E8TQ+d2edd7bc6Xfdk4kctwDwjRcBywB7sU knvh89+X1TNIXuoZkJ4Qgr4ZUE325C2Qf7DnBnKyQJqJUfzSwh4x4q6AUqE4d33AE9TZ 2bca3jnxBlZjzpiUDdpEIxnng0e1hqNSJXjIfrWkGJhEXuGvqUtnEga9ovXspaidWhek DY6/PM8iDGXQne74hLJv+MX5dwzgVP6yhWBtxw2o8tmvnVCRwojrgAlRQZwLdhXQCwMf 8DSg== X-Gm-Message-State: AOAM533NQhs9LkFymdCmQZx7Gy1ZxtxqFQrwEi9WHubMqnex1W4ATtmW Syn51gu79IGDuvUcCQdqIDiNKPLK2bqkX8GpNEcNg927FCVUEdyYXtHzX5miK14cDPcw/zfvbQE 2coiAbdoBMv4171zprwZSxMFyjjaDO1LFQz60QUhYL3+zErq1sZWJAHdkXDE= X-Google-Smtp-Source: ABdhPJxuUqQ+vK7mEcOr3N77TePrkx4f+vrIwyg4EOwsJWSvR8V+B8shxPp9QI2cyfQTcuJs7RUCz3XGBGU= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a05:600c:4f48:b0:38c:a460:cb6 with SMTP id m8-20020a05600c4f4800b0038ca4600cb6mr1184819wmq.96.1647776518384; Sun, 20 Mar 2022 04:41:58 -0700 (PDT) Date: Sun, 20 Mar 2022 11:41:12 +0000 In-Reply-To: <20220320114118.2237795-1-ascull@google.com> Message-Id: <20220320114118.2237795-6-ascull@google.com> Mime-Version: 1.0 References: <20220320114118.2237795-1-ascull@google.com> X-Mailer: git-send-email 2.35.1.894.gb6a874cedc-goog Subject: [PATCH 05/11] virtio: pci: Check virtio capability is in bounds From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, bmeng.cn@gmail.com, adelva@google.com, keirf@google.com, ptosi@google.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sun, 20 Mar 2022 12:43:23 +0100 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Ensure the virtio PCI capabilities are contained within the bounds of the device's configuration space. The expected size of the capability is passed when searching for the capability to enforce this check. Signed-off-by: Andrew Scull --- drivers/virtio/virtio_pci_modern.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c index 3403ff5cca..4b346be257 100644 --- a/drivers/virtio/virtio_pci_modern.c +++ b/drivers/virtio/virtio_pci_modern.c @@ -392,18 +392,30 @@ static int virtio_pci_notify(struct udevice *udev, struct virtqueue *vq) * * @udev: the transport device * @cfg_type: the VIRTIO_PCI_CAP_* value we seek + * @cap_size: expected size of the capability * * Return: offset of the configuration structure */ -static int virtio_pci_find_capability(struct udevice *udev, u8 cfg_type) +static int virtio_pci_find_capability(struct udevice *udev, u8 cfg_type, + size_t cap_size) { int pos; int offset; u8 type, bar; + if (cap_size < sizeof(struct virtio_pci_cap)) + return 0; + + if (cap_size > PCI_CFG_SPACE_SIZE) + return 0; + for (pos = dm_pci_find_capability(udev, PCI_CAP_ID_VNDR); pos > 0; pos = dm_pci_find_next_capability(udev, pos, PCI_CAP_ID_VNDR)) { + /* Ensure the capability is within bounds */ + if (PCI_CFG_SPACE_SIZE - cap_size < pos) + return 0; + offset = pos + offsetof(struct virtio_pci_cap, cfg_type); dm_pci_read_config8(udev, offset, &type); offset = pos + offsetof(struct virtio_pci_cap, bar); @@ -491,7 +503,8 @@ static int virtio_pci_probe(struct udevice *udev) uc_priv->vendor = subvendor; /* Check for a common config: if not, use legacy mode (bar 0) */ - common = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_COMMON_CFG); + common = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_COMMON_CFG, + sizeof(struct virtio_pci_cap)); if (!common) { printf("(%s): leaving for legacy driver\n", udev->name); return -ENODEV; @@ -505,7 +518,8 @@ static int virtio_pci_probe(struct udevice *udev) } /* If common is there, notify should be too */ - notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG); + notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG, + sizeof(struct virtio_pci_notify_cap)); if (!notify) { printf("(%s): missing capabilities %i/%i\n", udev->name, common, notify); @@ -519,7 +533,8 @@ static int virtio_pci_probe(struct udevice *udev) * Device capability is only mandatory for devices that have * device-specific configuration. */ - device = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_DEVICE_CFG); + device = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_DEVICE_CFG, + sizeof(struct virtio_pci_cap)); if (device) { offset = device + offsetof(struct virtio_pci_cap, length); dm_pci_read_config32(udev, offset, &priv->device_len); -- 2.35.1.894.gb6a874cedc-goog