All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH v1] arm: check bit index before usage
@ 2018-10-22 18:10 P J P
  2018-10-22 23:23 ` Philippe Mathieu-Daudé
  2018-10-25 14:32 ` Peter Maydell
  0 siblings, 2 replies; 7+ messages in thread
From: P J P @ 2018-10-22 18:10 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Peter Maydell, liqsub1, Moguofang, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

While performing gpio write via strongarm_gpio_handler_update
routine, the 'bit' index could access beyond s->handler[28] array.
Add check to avoid OOB access.

Reported-by: Moguofang <moguofang@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/arm/strongarm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Update v1: use ARRAY_SIZE macro
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html

diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
index ec2627374d..9225b1ba6e 100644
--- a/hw/arm/strongarm.c
+++ b/hw/arm/strongarm.c
@@ -532,7 +532,9 @@ static void strongarm_gpio_handler_update(StrongARMGPIOInfo *s)
 
     for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) {
         bit = ctz32(diff);
-        qemu_set_irq(s->handler[bit], (level >> bit) & 1);
+        if (bit < ARRAY_SIZE(s->handler)) {
+            qemu_set_irq(s->handler[bit], (level >> bit) & 1);
+        }
     }
 
     s->prev_level = level;
-- 
2.17.2

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage
  2018-10-22 18:10 [Qemu-devel] [PATCH v1] arm: check bit index before usage P J P
@ 2018-10-22 23:23 ` Philippe Mathieu-Daudé
  2018-10-23  4:51   ` P J P
  2018-10-25 14:32 ` Peter Maydell
  1 sibling, 1 reply; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-10-22 23:23 UTC (permalink / raw)
  To: P J P, Qemu Developers; +Cc: Peter Maydell, liqsub1, Moguofang, Prasad J Pandit

Hi Prasad,

On 22/10/18 20:10, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing gpio write via strongarm_gpio_handler_update
> routine, the 'bit' index could access beyond s->handler[28] array.
> Add check to avoid OOB access.
> 
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>   hw/arm/strongarm.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> Update v1: use ARRAY_SIZE macro
>    -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html
> 
> diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
> index ec2627374d..9225b1ba6e 100644
> --- a/hw/arm/strongarm.c
> +++ b/hw/arm/strongarm.c
> @@ -532,7 +532,9 @@ static void strongarm_gpio_handler_update(StrongARMGPIOInfo *s)
>   
>       for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) {
>           bit = ctz32(diff);
> -        qemu_set_irq(s->handler[bit], (level >> bit) & 1);
> +        if (bit < ARRAY_SIZE(s->handler)) {
> +            qemu_set_irq(s->handler[bit], (level >> bit) & 1);

            } else {
                	qemu_log_mask(LOG_GUEST_ERROR, ...

With that:
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

> +        }
>       }
>   
>       s->prev_level = level;
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage
  2018-10-22 23:23 ` Philippe Mathieu-Daudé
@ 2018-10-23  4:51   ` P J P
  0 siblings, 0 replies; 7+ messages in thread
From: P J P @ 2018-10-23  4:51 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé
  Cc: Qemu Developers, Peter Maydell, liqsub1, Moguofang

+-- On Tue, 23 Oct 2018, Philippe Mathieu-Daudé wrote --+
| > From: Prasad J Pandit <pjp@fedoraproject.org>
| > 
| > Update v1: use ARRAY_SIZE macro
| >    -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html
| > 
| > -        qemu_set_irq(s->handler[bit], (level >> bit) & 1);
| > +        if (bit < ARRAY_SIZE(s->handler)) {
| > +            qemu_set_irq(s->handler[bit], (level >> bit) & 1);
| 
|            } else {
|                	qemu_log_mask(LOG_GUEST_ERROR, ...
| 
| With that:
| Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Thank you Philippe and Li.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage
  2018-10-22 18:10 [Qemu-devel] [PATCH v1] arm: check bit index before usage P J P
  2018-10-22 23:23 ` Philippe Mathieu-Daudé
@ 2018-10-25 14:32 ` Peter Maydell
  2018-10-25 20:31   ` P J P
  1 sibling, 1 reply; 7+ messages in thread
From: Peter Maydell @ 2018-10-25 14:32 UTC (permalink / raw)
  To: P J P; +Cc: Qemu Developers, liqsub1, Moguofang, Prasad J Pandit

On 22 October 2018 at 19:10, P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While performing gpio write via strongarm_gpio_handler_update
> routine, the 'bit' index could access beyond s->handler[28] array.
> Add check to avoid OOB access.
>
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/arm/strongarm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> Update v1: use ARRAY_SIZE macro
>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html
>

Hi; thanks for this patch. Looking at the SA1110 manual,
it says that writes to the reserved bits [31:28] are
ignored. So I think that rather than doing this check
here, we should do what the strongarm_ppc_* code in the
same file does -- mask off the high bits for writes to
the direction and state registers. Then it will not
be possible for high bits to be set here that cause an
out-of-range array access.

Side note: this device is used only in the "collie"
machine model, which only works via TCG, so this is
not a security issue, just a bug (which will only be
visible if the guest is buggy.)

thanks
-- PMM

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage
  2018-10-25 14:32 ` Peter Maydell
@ 2018-10-25 20:31   ` P J P
  2018-10-26  7:04     ` Peter Maydell
  0 siblings, 1 reply; 7+ messages in thread
From: P J P @ 2018-10-25 20:31 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Qemu Developers, liqsub1, Moguofang

+-- On Thu, 25 Oct 2018, Peter Maydell wrote --+
| Hi; thanks for this patch. Looking at the SA1110 manual,
| it says that writes to the reserved bits [31:28] are
| ignored. So I think that rather than doing this check
| here, we should do what the strongarm_ppc_* code in the
| same file does -- mask off the high bits for writes to
| the direction and state registers. Then it will not
| be possible for high bits to be set here that cause an
| out-of-range array access.

===
diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
index ec2627374d..dd8c4b1f2e 100644
--- a/hw/arm/strongarm.c
+++ b/hw/arm/strongarm.c
@@ -587,12 +587,12 @@ static void strongarm_gpio_write(void *opaque, hwaddr 
offset,
 
     switch (offset) {
     case GPDR:        /* GPIO Pin-Direction registers */
-        s->dir = value;
+        s->dir = value & 0x3fffff;
         strongarm_gpio_handler_update(s);
         break;
 
     case GPSR:        /* GPIO Pin-Output Set registers */
-        s->olevel |= value;
+        s->olevel |= value & 0x3fffff;
         strongarm_gpio_handler_update(s);
         break;
===

does this seem okay?
 
| Side note: this device is used only in the "collie"
| machine model, which only works via TCG, so this is
| not a security issue, just a bug (which will only be
| visible if the guest is buggy.)

Cool, thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage
  2018-10-25 20:31   ` P J P
@ 2018-10-26  7:04     ` Peter Maydell
  2018-10-26  9:37       ` P J P
  0 siblings, 1 reply; 7+ messages in thread
From: Peter Maydell @ 2018-10-26  7:04 UTC (permalink / raw)
  To: P J P; +Cc: Qemu Developers, liqsub1, Moguofang

On 25 October 2018 at 21:31, P J P <ppandit@redhat.com> wrote:
> +-- On Thu, 25 Oct 2018, Peter Maydell wrote --+
> | Hi; thanks for this patch. Looking at the SA1110 manual,
> | it says that writes to the reserved bits [31:28] are
> | ignored. So I think that rather than doing this check
> | here, we should do what the strongarm_ppc_* code in the
> | same file does -- mask off the high bits for writes to
> | the direction and state registers. Then it will not
> | be possible for high bits to be set here that cause an
> | out-of-range array access.
>
> ===
> diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
> index ec2627374d..dd8c4b1f2e 100644
> --- a/hw/arm/strongarm.c
> +++ b/hw/arm/strongarm.c
> @@ -587,12 +587,12 @@ static void strongarm_gpio_write(void *opaque, hwaddr
> offset,
>
>      switch (offset) {
>      case GPDR:        /* GPIO Pin-Direction registers */
> -        s->dir = value;
> +        s->dir = value & 0x3fffff;
>          strongarm_gpio_handler_update(s);
>          break;
>
>      case GPSR:        /* GPIO Pin-Output Set registers */
> -        s->olevel |= value;
> +        s->olevel |= value & 0x3fffff;
>          strongarm_gpio_handler_update(s);
>          break;
> ===
>
> does this seem okay?

Yes, that's what I had in mind.

thanks
-- PMM

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage
  2018-10-26  7:04     ` Peter Maydell
@ 2018-10-26  9:37       ` P J P
  0 siblings, 0 replies; 7+ messages in thread
From: P J P @ 2018-10-26  9:37 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Qemu Developers, liqsub1, Moguofang

+-- On Fri, 26 Oct 2018, Peter Maydell wrote --+
| > ===
| > diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
| > index ec2627374d..dd8c4b1f2e 100644
| > --- a/hw/arm/strongarm.c
| > +++ b/hw/arm/strongarm.c
| > @@ -587,12 +587,12 @@ static void strongarm_gpio_write(void *opaque, hwaddr
| > offset,
| >
| >      switch (offset) {
| >      case GPDR:        /* GPIO Pin-Direction registers */
| > -        s->dir = value;
| > +        s->dir = value & 0x3fffff;
| >          strongarm_gpio_handler_update(s);
| >          break;
| >
| >      case GPSR:        /* GPIO Pin-Output Set registers */
| > -        s->olevel |= value;
| > +        s->olevel |= value & 0x3fffff;
| >          strongarm_gpio_handler_update(s);
| >          break;
| > ===
| >
| > does this seem okay?
| 
| Yes, that's what I had in mind.

Cool, patch sent.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-10-26  9:37 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-22 18:10 [Qemu-devel] [PATCH v1] arm: check bit index before usage P J P
2018-10-22 23:23 ` Philippe Mathieu-Daudé
2018-10-23  4:51   ` P J P
2018-10-25 14:32 ` Peter Maydell
2018-10-25 20:31   ` P J P
2018-10-26  7:04     ` Peter Maydell
2018-10-26  9:37       ` P J P

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.