From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 0F0D8C433F5
	for <u-boot@archiver.kernel.org>; Wed, 13 Apr 2022 14:23:56 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id B5C2E83E42;
	Wed, 13 Apr 2022 16:22:24 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="Ei4yQOBP";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id E82E383E27; Wed, 13 Apr 2022 16:22:10 +0200 (CEST)
Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com
 [IPv6:2a00:1450:4864:20::34a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 8D27583E06
 for <u-boot@lists.denx.de>; Wed, 13 Apr 2022 16:22:08 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: phobos.denx.de; spf=pass
 smtp.mailfrom=3kNxWYgYKBr0dvfxoojrrjoh.frpx-errwolvwv.ghq0.gh@flex--ascull.bounces.google.com
Received: by mail-wm1-x34a.google.com with SMTP id
 k16-20020a7bc310000000b0038e6cf00439so867174wmj.0
 for <u-boot@lists.denx.de>; Wed, 13 Apr 2022 07:22:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=c+vkB86jhGmAudqmVAsaGVJ0Xq3ZBMYUW2XWmujE4RQ=;
 b=Ei4yQOBP/TsOLYzxjrAbemQvG/suLMpm2nQ3oGsWh7NkZ9Yf22h2xBLX6/8gOiRr75
 OwpvtzfAo3Xaf4CQq5CT/Y5PC4+YIiRUa8GO3u5VA6LRH6dNoHsEfokTOQPqjAGOWa8m
 LkQ3tTuCWfd/IgC9EqZobfp5gMU6cBXbzTIdh1j6X8rJV994aSRHgiVviVJ4NQnxtSdI
 X2Xzm8UdhSKQjsGjAgksJpfXv6MqXciaGFG4vaNm9Vl5n3J300fl8NfSEnr3zxKLuF3h
 qIJeKcPEbZbvpfy2eXoh1Xlobiz02Shw6nVrdSZfn8Oi6VshZFpPiHQv2Vyko2UCKgMu
 8Umw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=c+vkB86jhGmAudqmVAsaGVJ0Xq3ZBMYUW2XWmujE4RQ=;
 b=PV/vdvrRx0aAuz1rwM6m/IztpJfIXRsqsZ2ilciBbD+UPKAe9W4lp6R8NgDROO0ugF
 tlYNZ+fkxwsK1yZH+XQ3nl0dfKrSXD14Mti/H8YIpNyspYZKUmvzRovhAqZBtjPLu4nX
 BOQx3tIdzGmD9OKh9eFeNwWYZnWwgU1AzklEsRp92mHCuwzGEW5PwW455vYIFGZ0CAbE
 OVKM0c325Ai6h55P+WCUA4B8FPM7RqbOrg0uSLOtim1Z2cj2FYGp6oT9VNTfI+raJ0AD
 BzNlXtGB9biZ+8sy90sOygBx0MmxXAmB6I9ugz65PShNq2znCQeR6lUkYpAsJPtEOiWP
 t+4Q==
X-Gm-Message-State: AOAM532wLAFqGYVFpdag7KiJQbb4TPCXVJO7FzkmsMvh3EhyiKmfBWs2
 iLA/PbYAwW1lDcwziH+fU28gtMLdV+uRyZzamyq49upV5b0h9VB5HcJRtOVo2rCKDzOLFWfOzAf
 387TUugydgz1aYTkid9yiX+uGGWq0WrVxQZn0AUDIGcA3I1824L5COh+xduM=
X-Google-Smtp-Source: ABdhPJzJW6ru2zTQ3wUbW8rvBgaLBt908i5dZ4mNgAzec7DFhK0XxTQsFEPleNxI8NYSJXBopIe45RzCeaE=
X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510])
 (user=ascull job=sendgmr) by 2002:adf:fb82:0:b0:207:8b12:8d15 with SMTP id
 a2-20020adffb82000000b002078b128d15mr23941914wrr.1.1649859728044; Wed, 13 Apr
 2022 07:22:08 -0700 (PDT)
Date: Wed, 13 Apr 2022 14:21:36 +0000
In-Reply-To: <20220413142137.560987-1-ascull@google.com>
Message-Id: <20220413142137.560987-12-ascull@google.com>
Mime-Version: 1.0
References: <20220413142137.560987-1-ascull@google.com>
X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog
Subject: [PATCH v2 11/12] virtio: rng: Check length before copying
From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, trini@konsulko.com, Andrew Scull <ascull@google.com>, 
 Sughosh Ganu <sughosh.ganu@linaro.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 drivers/virtio/virtio_rng.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c
index 9314c0a03e..b85545c2ee 100644
--- a/drivers/virtio/virtio_rng.c
+++ b/drivers/virtio/virtio_rng.c
@@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len)
 		while (!virtqueue_get_buf(priv->rng_vq, &rsize))
 			;
 
+		if (rsize > sg.length)
+			return -EIO;
+
 		memcpy(ptr, buf, rsize);
 		len -= rsize;
 		ptr += rsize;
-- 
2.35.1.1178.g4f1659d476-goog