From: Marcel Apfelbaum <marcel@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>,
Yuval Shaia <yuval.shaia@oracle.com>
Subject: Re: [Qemu-devel] [PATCH PULL v2 08/10] hw/rdma: PVRDMA commands and data-path ops
Date: Fri, 27 Apr 2018 21:22:20 +0300 [thread overview]
Message-ID: <e5d03d22-9ebe-a787-450c-64ac485fac7d@redhat.com> (raw)
In-Reply-To: <CAFEAcA_YeDoYVEJqNq532varAAavXbkJxs8r+_YSq_NB8LZWuw@mail.gmail.com>
On 27/04/2018 17:43, Peter Maydell wrote:
> On 19 February 2018 at 11:43, Marcel Apfelbaum <marcel@redhat.com> wrote:
>> From: Yuval Shaia <yuval.shaia@oracle.com>
>>
>> First PVRDMA sub-module - implementation of the PVRDMA device.
>> - PVRDMA commands such as create CQ and create MR.
>> - Data path QP operations - post_send and post_recv.
>> - Completion handler.
>
> Coverity (CID1390589, CID1390608) points out more array
> bounds overruns here:
>
>> +
>> +typedef struct PVRDMADev {
>> + PCIDevice parent_obj;
>> + MemoryRegion msix;
>> + MemoryRegion regs;
>> + uint32_t regs_data[RDMA_BAR1_REGS_SIZE];
>
> regs_data is an array of size RDMA_BAR1_REGS_SIZE...
>
>> + MemoryRegion uar;
>> + uint32_t uar_data[RDMA_BAR2_UAR_SIZE];
>> + DSRInfo dsr_info;
>> + int interrupt_mask;
>> + struct ibv_device_attr dev_attr;
>> + uint64_t node_guid;
>> + char *backend_device_name;
>> + uint8_t backend_gid_idx;
>> + uint8_t backend_port_num;
>> + RdmaBackendDev backend_dev;
>> + RdmaDeviceResources rdma_dev_res;
>> +} PVRDMADev;
>> +#define PVRDMA_DEV(dev) OBJECT_CHECK(PVRDMADev, (dev), PVRDMA_HW_NAME)
>> +
>> +static inline int get_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t *val)
>> +{
>> + int idx = addr >> 2;
>> +
>> + if (idx > RDMA_BAR1_REGS_SIZE) {
>> + return -EINVAL;
>> + }
>
> ...but the bounds check here is ">" rather than ">="
> and allows idx == RDMA_BAR1_REGS_SIZE through...
>
>> +
>> + *val = dev->regs_data[idx];
>
> ...and this will overrun the array.
>
>> +
>> + return 0;
>> +}
>> +
>> +static inline int set_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t val)
>> +{
>> + int idx = addr >> 2;
>> +
>> + if (idx > RDMA_BAR1_REGS_SIZE) {
>> + return -EINVAL;
>> + }
>> +
>> + dev->regs_data[idx] = val;
>
> Similarly here, where this is a write access.
>
> Luckily this isn't an exploitable guest escape, because the only
> call to set_reg_val() with a guest-controlled addr value is from
> the read function of an MMIO MemoryRegion which is created with
> a size of RDMA_BAR1_REGS_SIZE, so the guest can't get out of
> range values into here.
>
> Three times is a pattern -- you might like to check your
> other bounds checks for off-by-one errors. Coverity doesn't
> necessarily catch all of them.
>
Agreed, I'll go over the code again.
Thanks,
Marcel
> thanks
> -- PMM
>
next prev parent reply other threads:[~2018-04-27 18:22 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-19 11:43 [Qemu-devel] [PATCH PULL v2 00/10] RDMA patches Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 01/10] mem: add share parameter to memory-backend-ram Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 02/10] docs: add pvrdma device documentation Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 03/10] scripts/update-linux-headers: import pvrdma headers Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 04/10] include/standard-headers: add pvrdma related headers Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 05/10] hw/rdma: Add wrappers and macros Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 06/10] hw/rdma: Definitions for rdma device and rdma resource manager Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 07/10] hw/rdma: Implementation of generic rdma device layers Marcel Apfelbaum
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 08/10] hw/rdma: PVRDMA commands and data-path ops Marcel Apfelbaum
2018-04-27 14:31 ` Peter Maydell
2018-04-27 18:20 ` Marcel Apfelbaum
2018-04-29 7:42 ` Yuval Shaia
2018-04-27 14:43 ` Peter Maydell
2018-04-27 18:22 ` Marcel Apfelbaum [this message]
2018-04-27 14:58 ` Peter Maydell
2018-04-27 18:28 ` Marcel Apfelbaum
2018-04-27 15:01 ` Peter Maydell
2018-04-27 18:31 ` Marcel Apfelbaum
2023-06-20 12:35 ` Peter Maydell
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 09/10] hw/rdma: Implementation of PVRDMA device Marcel Apfelbaum
2018-04-27 14:49 ` Peter Maydell
2018-04-27 19:36 ` Marcel Apfelbaum
2018-04-29 9:38 ` Yuval Shaia
2018-04-27 14:55 ` Peter Maydell
2018-04-27 19:46 ` Marcel Apfelbaum
2018-04-29 7:18 ` Yuval Shaia
2018-02-19 11:43 ` [Qemu-devel] [PATCH PULL v2 10/10] MAINTAINERS: add entry for hw/rdma Marcel Apfelbaum
2018-02-19 16:43 ` [Qemu-devel] [PATCH PULL v2 00/10] RDMA patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e5d03d22-9ebe-a787-450c-64ac485fac7d@redhat.com \
--to=marcel@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=yuval.shaia@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.