From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BF600C433F5 for ; Thu, 21 Apr 2022 16:12:10 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 98E6583E75; Thu, 21 Apr 2022 18:11:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="BcMs/fGE"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3BBA483E72; Thu, 21 Apr 2022 18:11:32 +0200 (CEST) Received: from mail-wr1-x449.google.com (mail-wr1-x449.google.com [IPv6:2a00:1450:4864:20::449]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DE06283DEB for ; Thu, 21 Apr 2022 18:11:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3MIJhYgYKBtMzH1JAA5DD5A3.1DBJ-0DDIA7HIH.23CM.23@flex--ascull.bounces.google.com Received: by mail-wr1-x449.google.com with SMTP id 65-20020adf8147000000b00207982c3692so1297373wrm.15 for ; Thu, 21 Apr 2022 09:11:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=rwOknMOcZPgXNyTFGeccuW70VY9krBAMpjWV7O5z+b8=; b=BcMs/fGEVMIRw5UzBfA67Rkbh28oH3J9lnxTxtB/YQax2Wcmjcu6HpzQQR73WPJnXj UjPx+cybn+MrYdKIwCyJth4Bqcr670ghq87XtvdiCkH1UfEuHmYWFMw778u258HUvpnB eKIAJCNS+v6ShGUqdpJLx3SkhiOxYbU34q/h7dEFg23nAyqMJShz6QCNGanz2eNol+8P gEVbMuP0KHrlNXldgt+3slRWwRBS03ct4wQGuqj5sW4N/cDCvvSBc48iY7l25surYp0W a6xENnIkzKDWcWoT1tHz4RydlPbNugQM5A4Fuir/My9FoGw/Ll4c5uz7KCWOe0Nc1e3l wR0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=rwOknMOcZPgXNyTFGeccuW70VY9krBAMpjWV7O5z+b8=; b=5xV9DDD+4j+WcWwvDwkDMKF/K1E2ouub31oYeAQTdtMMiCvqau83PZ2QVkk/Lzi2aB 4izc9RlgswVyEv2cZBLgfmwr9c+EjBzQemy27TKbmUJHQGyjSa1ZmhQPGLH3gnDkiilF bC0WZEmtSwOSBHNsYIJbduO3vdhhcx23nFMgdYGfQDna/8dlOKzn0S/6Nr+vs/T1vjBg Cos+YkgFt+hpcT5awJPUEgAY018eRLqEQNxswM5mC8tZgLklR77T3LxZa/z9fLM0OTmN 4Wgxep5vnPWXaUh017kCgmHxUihL79E5TAVT4eqXvmdLDDwfRTUPZqgTwMihklyxFuqI ZsOg== X-Gm-Message-State: AOAM533rd8ZI05nCiScxQ5RP0sNCuhgZU0IDP6OpiTsC6+GT5Dvom5ud ml8jsWPCLtKIVnUo+Y/8qB/OdmdIG4IpOmoqiGPEJBAMA7j45HqML7+1ua/7u/Px3dxYNF3LHEA qWUa+vnR1HmuX6G9hU8r5kexKy+tWtAEtwP/sDXLR2Bb7Z2mNTORz8Pa7l3s= X-Google-Smtp-Source: ABdhPJwt8YM4bRwzSv7qwTqBDPio/jb7D7Z+jwJfmHRnRa+5kWHi9yP43qoChVNXAuWaHThBdPq2FH4FQB4= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a1c:2546:0:b0:392:b691:1eed with SMTP id l67-20020a1c2546000000b00392b6911eedmr99821wml.200.1650557488382; Thu, 21 Apr 2022 09:11:28 -0700 (PDT) Date: Thu, 21 Apr 2022 16:11:02 +0000 In-Reply-To: <20220421161116.1202023-1-ascull@google.com> Message-Id: <20220421161116.1202023-5-ascull@google.com> Mime-Version: 1.0 References: <20220421161116.1202023-1-ascull@google.com> X-Mailer: git-send-email 2.36.0.rc2.479.g8af0fa9b8e-goog Subject: [PATCH v3 04/18] virtio: pci: Bounds check notification writes From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, bmeng.cn@gmail.com, trini@konsulko.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Make sure virtio notifications are written within their allocated buffer. Signed-off-by: Andrew Scull Reviewed-by: Bin Meng --- drivers/virtio/virtio_pci_modern.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c index bcf9f18997..7dd58aa0f4 100644 --- a/drivers/virtio/virtio_pci_modern.c +++ b/drivers/virtio/virtio_pci_modern.c @@ -94,6 +94,7 @@ * * @common: pci transport device common register block base * @notify_base: pci transport device notify register block base + * @notify_len: pci transport device notify register block length * @device: pci transport device device-specific register block base * @device_len: pci transport device device-specific register block length * @notify_offset_multiplier: multiply queue_notify_off by this value @@ -101,6 +102,7 @@ struct virtio_pci_priv { struct virtio_pci_common_cfg __iomem *common; void __iomem *notify_base; + u32 notify_len; void __iomem *device; u32 device_len; u32 notify_offset_multiplier; @@ -372,12 +374,20 @@ static int virtio_pci_notify(struct udevice *udev, struct virtqueue *vq) /* get offset of notification word for this vq */ off = ioread16(&priv->common->queue_notify_off); + /* + * Check the effective offset is in bounds and leaves space for the + * notification, which is just a single 16-bit value since + * VIRTIO_F_NOTIFICATION_DATA isn't negotiated by the drivers. + */ + off *= priv->notify_offset_multiplier; + if (off > priv->notify_len - sizeof(u16)) + return -EIO; + /* * We write the queue's selector into the notification register * to signal the other end */ - iowrite16(vq->index, - priv->notify_base + off * priv->notify_offset_multiplier); + iowrite16(vq->index, priv->notify_base + off); return 0; } @@ -499,6 +509,9 @@ static int virtio_pci_probe(struct udevice *udev) return -EINVAL; } + offset = notify + offsetof(struct virtio_pci_cap, length); + dm_pci_read_config32(udev, offset, &priv->notify_len); + /* * Device capability is only mandatory for devices that have * device-specific configuration. -- 2.36.0.rc2.479.g8af0fa9b8e-goog