From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A0109C433F5 for ; Thu, 24 Mar 2022 14:19:18 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 68ED284099; Thu, 24 Mar 2022 15:19:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="gH+8QmlS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9F032840AB; Thu, 24 Mar 2022 15:19:13 +0100 (CET) Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E716D8408F for ; Thu, 24 Mar 2022 15:19:10 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=bmeng.cn@gmail.com Received: by mail-yb1-xb35.google.com with SMTP id t11so8700722ybi.6 for ; Thu, 24 Mar 2022 07:19:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LHlXtfyZatujbU11PcXLZQemfN/FdOzdis6LF3z5ANo=; b=gH+8QmlSRRGwXCl3kClapE0mQLi+D8ZrnXZj0TKs4y4DJN4X4hK9KKFqbOBNV07dd4 GzqIC75UYZ5oHCbcMxWhXOOiUEvdo5dDxWeFWxZJlriIma5vXiIIHo5AtiFQsLD/F1fj LhYoRto5aLSQTuRvEPcNPbbkgyKoMX0RgCmtvyNE+otVVj16xUi/NWRt9+ZfNqh4GU+D /ClLJbiIWa1C7Kf6WoLG8t5IDPCkgmlngaMrzik6F7xyTzMZbUIOMcH7TcMOgp+ADqIm 2AuGQUaPK2MB9WPu7vvz6gsHMO3RkpWJiX7K2XqxWdBQvYLQxLmcdst201N5YsRv/1HO 1v8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LHlXtfyZatujbU11PcXLZQemfN/FdOzdis6LF3z5ANo=; b=3OmD6IqFa4Ul+pKJeW16dlxd8d3nEOjYAXpVjqcEIM8InJ5GjkkIKSLe2IFrtD0cdo ZFq6Zcnnu0PW+D29/tqm1W7SC9xlUI0SHmV+LrDtyLNbMDeUOOVyTmZ6P+7Ezce8kdDu AGu79kXFmxfwHAaRkwXyELXhaCuxsOid3ZlQLhUfbT+U8quRwrhveKEdrygdXMLLzX4r eh3vq+ijR8JHqKOo7xcEFAbTJDbL+0aY3YLhkeyc8wrRY9zE9VakyvpxGAcUpapVp5F8 HY/U+A64+umw1vK8BVxGZbFab2DqIgY3tKB6XLZuPrYohBjdR93zAUU0cYuwn8FU6ifk ikIQ== X-Gm-Message-State: AOAM531Lfv7ZVw6pQx/iPS2sKdIGcaucTPGX8CXMQnH7HImphk3XnkYK lvhUPwpcXo/ev6VinGYZZK4TAZLRq2nvaxrExpE= X-Google-Smtp-Source: ABdhPJwqAYoxd+tlKy+lMJRXdlgoo0CN4e+AwH39+TGu4hRrnzpr/f8k+w/OUSBAPgrAS8V0DBKvhU9r+72mH9dFLzM= X-Received: by 2002:a25:bec7:0:b0:623:c838:2f4 with SMTP id k7-20020a25bec7000000b00623c83802f4mr4458732ybm.99.1648131549774; Thu, 24 Mar 2022 07:19:09 -0700 (PDT) MIME-Version: 1.0 References: <20220320114118.2237795-1-ascull@google.com> <20220320114118.2237795-4-ascull@google.com> In-Reply-To: <20220320114118.2237795-4-ascull@google.com> From: Bin Meng Date: Thu, 24 Mar 2022 22:18:58 +0800 Message-ID: Subject: Re: [PATCH 03/11] virtio: pci: Bounds check notification writes To: Andrew Scull Cc: U-Boot Mailing List , Simon Glass , Alistair Delva , keirf@google.com, ptosi@google.com Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Sun, Mar 20, 2022 at 7:41 PM Andrew Scull wrote: > > Make sure virtio notifications are written within their allocated > buffer. > > Signed-off-by: Andrew Scull > --- > drivers/virtio/virtio_pci_modern.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c > index bcf9f18997..60bdc53a6d 100644 > --- a/drivers/virtio/virtio_pci_modern.c > +++ b/drivers/virtio/virtio_pci_modern.c > @@ -101,6 +101,7 @@ > struct virtio_pci_priv { > struct virtio_pci_common_cfg __iomem *common; > void __iomem *notify_base; > + u32 notify_len; > void __iomem *device; > u32 device_len; > u32 notify_offset_multiplier; > @@ -372,12 +373,16 @@ static int virtio_pci_notify(struct udevice *udev, struct virtqueue *vq) > /* get offset of notification word for this vq */ > off = ioread16(&priv->common->queue_notify_off); > > + /* Check the effective offset is in bounds */ > + off *= priv->notify_offset_multiplier; > + if (off > priv->notify_len - sizeof(u16)) This check may not work for devices offering VIRTIO_F_NOTIFICATION_DATA. > + return -EIO; > + > /* > * We write the queue's selector into the notification register > * to signal the other end > */ > - iowrite16(vq->index, > - priv->notify_base + off * priv->notify_offset_multiplier); > + iowrite16(vq->index, priv->notify_base + off); > > return 0; > } > @@ -499,6 +504,9 @@ static int virtio_pci_probe(struct udevice *udev) > return -EINVAL; > } > > + offset = notify + offsetof(struct virtio_pci_cap, length); > + dm_pci_read_config32(udev, offset, &priv->notify_len); > + > /* > * Device capability is only mandatory for devices that have > * device-specific configuration. Regards, Bin