From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 48ADEC433EF for ; Thu, 24 Mar 2022 15:24:27 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A9F87840CA; Thu, 24 Mar 2022 16:24:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Q9Ktjn+f"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B035F840D5; Thu, 24 Mar 2022 16:24:23 +0100 (CET) Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 22515840B9 for ; Thu, 24 Mar 2022 16:24:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=bmeng.cn@gmail.com Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-2e68c95e0f9so54918477b3.0 for ; Thu, 24 Mar 2022 08:24:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zaS2d1Yfiz34oOV3E9JyLe4zAhu8eEX+iShrJEMb8FA=; b=Q9Ktjn+fMJM/F7824utdUbgr1QcwNEdR0dzHfDQhvpW9I5+3wemm2jmsqbAwGDY3SP YImFEwsS94E7yq31Qxa0iKvEDHSsUmN04dN7dEwJQQ3ntv4ZSWiCs1+U40NOAGaByMg6 ufo1buF7kjbgJY37gY2WV70Zk/yXv/DHAhvWQuxOQVBWCYoNiENnqwH4eA3O8lCUgaq9 nCiL/ojKyZNM9e8LqwnD5i/3A15LCAoEBEvZYjmXZUdV1Xir844hZDSIeNh7dehkyxH3 WaMPa7YeYvDpGCJ9oUYzw9h0Y1tOLy6EU/uk+s3UhlIONZALAfiIPv15Ka1n5vM8IEyQ lP4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zaS2d1Yfiz34oOV3E9JyLe4zAhu8eEX+iShrJEMb8FA=; b=8Qn4S5Y+o98QtD8uS8SI2164UHNUf4uEz32sTMUxs+2C9Jd5W7Gde1uRzDeRn4VGjD Z0TuyPcYQRh3BY5mTMFG+NLV8zCCXAMdv0avhehEcv27skx6dEI6y4hw1Anxl/Tx1fIl obAU3WlZLq3sr8S1Lji+uU+si06CEKJm+ZawCxTtCMQy+VQaglry5D9HnAg+ZfTZDorw 0WqEjVuGAEyrGP6mCdTmEFCLQpDTwempBrknIphMARq5KIZt8f9zOQwaaUaNkzBtCdsE smfqJ/Ptl3sQvCOFBz70TjKBDDcCJP5misWizQ7Fr+Zciwe88LqyG/s1M4TdibnGwYH3 C+OQ== X-Gm-Message-State: AOAM533Ec7LUu+NOYCqjzUtSlAdaLJcDMinbtamp1uBtp5cpDQcGjFtr NLFjRshWYCiAWpSYdFjLOGQWG8KUs4KWxAJ7v9A= X-Google-Smtp-Source: ABdhPJwdukhlRbuoBRrBYplPqxwh7+i7jnTnSU0Fm3c13RCd9A7NMGI+M5YEoHsNqw3DEhddBZocLlyzQfRzAF7kR2s= X-Received: by 2002:a81:ad7:0:b0:2e6:84de:3223 with SMTP id 206-20020a810ad7000000b002e684de3223mr5201361ywk.209.1648135459955; Thu, 24 Mar 2022 08:24:19 -0700 (PDT) MIME-Version: 1.0 References: <20220320114118.2237795-1-ascull@google.com> <20220320114118.2237795-6-ascull@google.com> In-Reply-To: <20220320114118.2237795-6-ascull@google.com> From: Bin Meng Date: Thu, 24 Mar 2022 23:24:08 +0800 Message-ID: Subject: Re: [PATCH 05/11] virtio: pci: Check virtio capability is in bounds To: Andrew Scull Cc: U-Boot Mailing List , Simon Glass , Alistair Delva , keirf@google.com, ptosi@google.com Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Sun, Mar 20, 2022 at 7:41 PM Andrew Scull wrote: > > Ensure the virtio PCI capabilities are contained within the bounds of > the device's configuration space. The expected size of the capability is > passed when searching for the capability to enforce this check. > > Signed-off-by: Andrew Scull > --- > drivers/virtio/virtio_pci_modern.c | 23 +++++++++++++++++++---- > 1 file changed, 19 insertions(+), 4 deletions(-) > > diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c > index 3403ff5cca..4b346be257 100644 > --- a/drivers/virtio/virtio_pci_modern.c > +++ b/drivers/virtio/virtio_pci_modern.c > @@ -392,18 +392,30 @@ static int virtio_pci_notify(struct udevice *udev, struct virtqueue *vq) > * > * @udev: the transport device > * @cfg_type: the VIRTIO_PCI_CAP_* value we seek > + * @cap_size: expected size of the capability > * > * Return: offset of the configuration structure > */ > -static int virtio_pci_find_capability(struct udevice *udev, u8 cfg_type) > +static int virtio_pci_find_capability(struct udevice *udev, u8 cfg_type, > + size_t cap_size) > { > int pos; > int offset; > u8 type, bar; > > + if (cap_size < sizeof(struct virtio_pci_cap)) > + return 0; > + > + if (cap_size > PCI_CFG_SPACE_SIZE) > + return 0; > + The above 2 checks are not necessary as this helper is local to this driver, and we know the callers do things correctly. > for (pos = dm_pci_find_capability(udev, PCI_CAP_ID_VNDR); > pos > 0; > pos = dm_pci_find_next_capability(udev, pos, PCI_CAP_ID_VNDR)) { > + /* Ensure the capability is within bounds */ > + if (PCI_CFG_SPACE_SIZE - cap_size < pos) > + return 0; > + > offset = pos + offsetof(struct virtio_pci_cap, cfg_type); > dm_pci_read_config8(udev, offset, &type); > offset = pos + offsetof(struct virtio_pci_cap, bar); > @@ -491,7 +503,8 @@ static int virtio_pci_probe(struct udevice *udev) > uc_priv->vendor = subvendor; > > /* Check for a common config: if not, use legacy mode (bar 0) */ > - common = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_COMMON_CFG); > + common = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_COMMON_CFG, > + sizeof(struct virtio_pci_cap)); > if (!common) { > printf("(%s): leaving for legacy driver\n", udev->name); > return -ENODEV; > @@ -505,7 +518,8 @@ static int virtio_pci_probe(struct udevice *udev) > } > > /* If common is there, notify should be too */ > - notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG); > + notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG, > + sizeof(struct virtio_pci_notify_cap)); > if (!notify) { > printf("(%s): missing capabilities %i/%i\n", udev->name, > common, notify); > @@ -519,7 +533,8 @@ static int virtio_pci_probe(struct udevice *udev) > * Device capability is only mandatory for devices that have > * device-specific configuration. > */ > - device = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_DEVICE_CFG); > + device = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_DEVICE_CFG, > + sizeof(struct virtio_pci_cap)); > if (device) { > offset = device + offsetof(struct virtio_pci_cap, length); > dm_pci_read_config32(udev, offset, &priv->device_len); > -- Regards, Bin