From: Pavel Pisa <pisa@cmp.felk.cvut.cz>
To: qemu-devel@nongnu.org, Peter Maydell <peter.maydell@linaro.org>
Cc: "Pavel Pisa" <pisa@cmp.felk.cvut.cz>,
"Jason Wang" <jasowang@redhat.com>,
"Vikram Garhwal" <fnu.vikram@xilinx.com>,
"Ondrej Ille" <ondrej.ille@gmail.com>,
"Jan Charvát" <charvj10@fel.cvut.cz>
Subject: [PATCH for-5.2 v3 1/4] hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
Date: Tue, 10 Nov 2020 22:52:47 +0100 [thread overview]
Message-ID: <94d4236dee6973978398e6e2a3a321b65a7d35be.1605044619.git.pisa@cmp.felk.cvut.cz> (raw)
In-Reply-To: <cover.1605044619.git.pisa@cmp.felk.cvut.cz>
From: Peter Maydell <peter.maydell@linaro.org>
The ctucan device has 4 CAN bus cores, each of which has a set of 20
32-bit registers for writing the transmitted data. The registers are
however not contiguous; each core's buffers is 0x100 bytes after
the last.
We got the checks on the address wrong in the ctucan_mem_write()
function:
* the first "is addr in range at all" check allowed
addr == CTUCAN_CORE_MEM_SIZE, which is actually the first
byte off the end of the range
* the decode of addresses into core-number plus offset in the
tx buffer for that core failed to check that the offset was
in range, so the guest could write off the end of the
tx_buffer[] array
NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM,
etc, make "buff_num >= CTUCAN_CORE_TXBUF_NUM" impossible, but we
retain this as a runtime check rather than an assertion to permit
those values to be changed in future (in hardware they are
configurable synthesis parameters).
Fix the top level check, and check the offset is within the buffer.
Fixes: Coverity CID 1432874
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Tested-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
---
hw/net/can/ctucan_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/can/ctucan_core.c b/hw/net/can/ctucan_core.c
index d20835cd7e..8486f429d7 100644
--- a/hw/net/can/ctucan_core.c
+++ b/hw/net/can/ctucan_core.c
@@ -303,7 +303,7 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val,
DPRINTF("write 0x%02llx addr 0x%02x\n",
(unsigned long long)val, (unsigned int)addr);
- if (addr > CTUCAN_CORE_MEM_SIZE) {
+ if (addr >= CTUCAN_CORE_MEM_SIZE) {
return;
}
@@ -312,7 +312,9 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val,
addr -= CTU_CAN_FD_TXTB1_DATA_1;
buff_num = addr / CTUCAN_CORE_TXBUFF_SPAN;
addr %= CTUCAN_CORE_TXBUFF_SPAN;
- if (buff_num < CTUCAN_CORE_TXBUF_NUM) {
+ addr &= ~3;
+ if ((buff_num < CTUCAN_CORE_TXBUF_NUM) &&
+ (addr < sizeof(s->tx_buffer[buff_num].data))) {
uint32_t *bufp = (uint32_t *)(s->tx_buffer[buff_num].data + addr);
*bufp = cpu_to_le32(val);
}
--
2.20.1
next prev parent reply other threads:[~2020-11-10 21:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-10 21:52 [PATCH for-5.2 v3 0/4] hw/net/can/ctucan: fix Coverity and other issues Pavel Pisa
2020-11-10 21:52 ` Pavel Pisa [this message]
2020-11-10 21:52 ` [PATCH for-5.2 v3 2/4] hw/net/can/ctucan: Avoid unused value in ctucan_send_ready_buffers() Pavel Pisa
2020-11-10 21:52 ` [PATCH for-5.2 v3 3/4] hw/net/can/ctucan_core: Handle big-endian hosts Pavel Pisa
2020-11-10 21:52 ` [PATCH for-5.2 v3 4/4] hw/net/can/ctucan_core: Use stl_le_p to write to tx_buffers Pavel Pisa
2020-11-11 12:50 ` [PATCH for-5.2 v3 0/4] hw/net/can/ctucan: fix Coverity and other issues Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94d4236dee6973978398e6e2a3a321b65a7d35be.1605044619.git.pisa@cmp.felk.cvut.cz \
--to=pisa@cmp.felk.cvut.cz \
--cc=charvj10@fel.cvut.cz \
--cc=fnu.vikram@xilinx.com \
--cc=jasowang@redhat.com \
--cc=ondrej.ille@gmail.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.