On 5/19/20 3:19 PM, Cornelia Huck wrote: > On Mon, 18 May 2020 11:15:07 -0400 > Collin Walling wrote: > >> On 5/18/20 4:50 AM, Janosch Frank wrote: >>> On 5/16/20 12:20 AM, Collin Walling wrote: >>>> Rework the SCLP boundary check to account for different SCLP commands >>>> (eventually) allowing different boundary sizes. >>>> >>>> Move the length check code into a separate function, and introduce a >>>> new function to determine the length of the read SCP data (i.e. the size >>>> from the start of the struct to where the CPU entries should begin). >>>> >>>> Signed-off-by: Collin Walling >>>> --- >>>> hw/s390x/sclp.c | 57 ++++++++++++++++++++++++++++++++++++++++++------- >>>> 1 file changed, 49 insertions(+), 8 deletions(-) >>>> >>>> diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c >>>> index 2bd618515e..987699e3c4 100644 >>>> --- a/hw/s390x/sclp.c >>>> +++ b/hw/s390x/sclp.c >>>> @@ -49,6 +49,34 @@ static inline bool sclp_command_code_valid(uint32_t code) >>>> return false; >>>> } >>>> >>>> +static bool sccb_has_valid_boundary(uint64_t sccb_addr, uint32_t code, >>>> + SCCBHeader *header) >>>> +{ >>>> + uint64_t current_len = sccb_addr + be16_to_cpu(header->length); >>>> + uint64_t allowed_len = (sccb_addr & PAGE_MASK) + PAGE_SIZE; >>> >>> Those are addresses not length indications and the names should reflect >>> that. >> >> True >> >>> Also don't we need to use PAGE_SIZE - 1? >>> >> >> Technically we need to -1 on both sides since length denotes the size of >> the sccb in bytes, not the max address. >> >> How about this: >> >> s/current_len/sccb_max_addr >> s/allowed_len/sccb_boundary > > +1, like the names. > >> >> -1 to sccb_max_addr >> >> Change the check to: sccb_max_addr < sccb_boundary >> >> ? >> >>> I'm still trying to wake up, so take this with a grain of salt. >>> >> >> No worries. I appreciate the review nonetheless :) >> >>>> + >>>> + switch (code & SCLP_CMD_CODE_MASK) { >>>> + default: >>>> + if (current_len <= allowed_len) { >>>> + return true; >>>> + } >>>> + } >>>> + header->response_code = cpu_to_be16(SCLP_RC_SCCB_BOUNDARY_VIOLATION); >>>> + return false; >>>> +} >>>> + >>>> +/* Calculates sufficient SCCB length to store a full Read SCP/CPU response */ >>>> +static bool sccb_has_sufficient_len(SCCB *sccb, int num_cpus, int data_len) >>>> +{ >>>> + int required_len = data_len + num_cpus * sizeof(CPUEntry); >>>> + >>>> + if (be16_to_cpu(sccb->h.length) < required_len) { >>>> + sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH); >>>> + return false; >>>> + } >>>> + return true; >>>> +} >>> >>> Hm, from the function name alone I'd not have expected it to also set >>> the response code. >>> >> >> It also sets the required length in the header for an extended-length >> sccb. Perhaps this function name doesn't hold up well. >> >> Does sccb_check_sufficient_len make more sense? > > To me it does. > >> >> I think the same could be said of the boundary check function, which >> also sets the response code. >> >> What about setting the response code outside the function, similar to >> what sclp_comand_code_valid does? > > Whatever results in the least code churn to make it consistent ;) > >> >>>> + >>>> static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int *count) >>>> { >>>> uint8_t features[SCCB_CPU_FEATURE_LEN] = { 0 }; >>>> @@ -66,6 +94,16 @@ static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int *count) >>>> } >>>> } >>>> >>>> +/* >>>> + * The data length denotes the start of the struct to where the first >>>> + * CPU entry is to be allocated. This value also denotes the offset_cpu >>>> + * field. >>>> + */ >>>> +static int get_read_scp_info_data_len(void) >>>> +{ >>>> + return offsetof(ReadInfo, entries); >>>> +} >>> >>> Not sure what the policy for this is, but maybe this can go into a >>> header file? >>> David and Conny will surely make that clear to me :) >>> >> >> Not sure either. If anything it might be a good candidate for an inline >> function. > > If we don't process read info outside of this file, no need to move it > to a header. The compiler is probably also smart enough to inline it on > its own, I guess. > > I'm also ok with the names and the rest