Re: [PATCH v2 3/8] s390/sclp: rework sclp boundary and length checks

From: Janosch Frank <frankja@linux.ibm.com>
To: Cornelia Huck <cohuck@redhat.com>,
	Collin Walling <walling@linux.ibm.com>
Cc: thuth@redhat.com, mst@redhat.com, david@redhat.com,
	qemu-devel@nongnu.org, pasic@linux.ibm.com,
	borntraeger@de.ibm.com, qemu-s390x@nongnu.org,
	svens@linux.ibm.com, pbonzini@redhat.com, mihajlov@linux.ibm.com,
	rth@twiddle.net
Subject: Re: [PATCH v2 3/8] s390/sclp: rework sclp boundary and length checks
Date: Mon, 25 May 2020 12:53:57 +0200	[thread overview]
Message-ID: <aab9d660-7368-709b-7ef6-9634aeba86a5@linux.ibm.com> (raw)
In-Reply-To: <20200519151936.1071fa14.cohuck@redhat.com>


[-- Attachment #1.1: Type: text/plain, Size: 4557 bytes --]

On 5/19/20 3:19 PM, Cornelia Huck wrote:
> On Mon, 18 May 2020 11:15:07 -0400
> Collin Walling <walling@linux.ibm.com> wrote:
> 
>> On 5/18/20 4:50 AM, Janosch Frank wrote:
>>> On 5/16/20 12:20 AM, Collin Walling wrote:  
>>>> Rework the SCLP boundary check to account for different SCLP commands
>>>> (eventually) allowing different boundary sizes.
>>>>
>>>> Move the length check code into a separate function, and introduce a
>>>> new function to determine the length of the read SCP data (i.e. the size
>>>> from the start of the struct to where the CPU entries should begin).
>>>>
>>>> Signed-off-by: Collin Walling <walling@linux.ibm.com>
>>>> ---
>>>>  hw/s390x/sclp.c | 57 ++++++++++++++++++++++++++++++++++++++++++-------
>>>>  1 file changed, 49 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
>>>> index 2bd618515e..987699e3c4 100644
>>>> --- a/hw/s390x/sclp.c
>>>> +++ b/hw/s390x/sclp.c
>>>> @@ -49,6 +49,34 @@ static inline bool sclp_command_code_valid(uint32_t code)
>>>>      return false;
>>>>  }
>>>>  
>>>> +static bool sccb_has_valid_boundary(uint64_t sccb_addr, uint32_t code,
>>>> +                                    SCCBHeader *header)
>>>> +{
>>>> +    uint64_t current_len = sccb_addr + be16_to_cpu(header->length);
>>>> +    uint64_t allowed_len = (sccb_addr & PAGE_MASK) + PAGE_SIZE;  
>>>
>>> Those are addresses not length indications and the names should reflect
>>> that.  
>>
>> True
>>
>>> Also don't we need to use PAGE_SIZE - 1?
>>>   
>>
>> Technically we need to -1 on both sides since length denotes the size of
>> the sccb in bytes, not the max address.
>>
>> How about this:
>>
>> s/current_len/sccb_max_addr
>> s/allowed_len/sccb_boundary
> 
> +1, like the names.
> 
>>
>> -1 to sccb_max_addr
>>
>> Change the check to: sccb_max_addr < sccb_boundary
>>
>> ?
>>
>>> I'm still trying to wake up, so take this with a grain of salt.
>>>   
>>
>> No worries. I appreciate the review nonetheless :)
>>
>>>> +
>>>> +    switch (code & SCLP_CMD_CODE_MASK) {
>>>> +    default:
>>>> +        if (current_len <= allowed_len) {
>>>> +            return true;
>>>> +        }
>>>> +    }
>>>> +    header->response_code = cpu_to_be16(SCLP_RC_SCCB_BOUNDARY_VIOLATION);
>>>> +    return false;
>>>> +}
>>>> +
>>>> +/* Calculates sufficient SCCB length to store a full Read SCP/CPU response */
>>>> +static bool sccb_has_sufficient_len(SCCB *sccb, int num_cpus, int data_len)
>>>> +{
>>>> +    int required_len = data_len + num_cpus * sizeof(CPUEntry);
>>>> +
>>>> +    if (be16_to_cpu(sccb->h.length) < required_len) {
>>>> +        sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
>>>> +        return false;
>>>> +    }
>>>> +    return true;
>>>> +}  
>>>
>>> Hm, from the function name alone I'd not have expected it to also set
>>> the response code.
>>>   
>>
>> It also sets the required length in the header for an extended-length
>> sccb. Perhaps this function name doesn't hold up well.
>>
>> Does sccb_check_sufficient_len make more sense?
> 
> To me it does.
> 
>>
>> I think the same could be said of the boundary check function, which
>> also sets the response code.
>>
>> What about setting the response code outside the function, similar to
>> what sclp_comand_code_valid does?
> 
> Whatever results in the least code churn to make it consistent ;)
> 
>>
>>>> +
>>>>  static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int *count)
>>>>  {
>>>>      uint8_t features[SCCB_CPU_FEATURE_LEN] = { 0 };
>>>> @@ -66,6 +94,16 @@ static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int *count)
>>>>      }
>>>>  }
>>>>  
>>>> +/*
>>>> + * The data length denotes the start of the struct to where the first
>>>> + * CPU entry is to be allocated. This value also denotes the offset_cpu
>>>> + * field.
>>>> + */
>>>> +static int get_read_scp_info_data_len(void)
>>>> +{
>>>> +    return offsetof(ReadInfo, entries);
>>>> +}  
>>>
>>> Not sure what the policy for this is, but maybe this can go into a
>>> header file?
>>> David and Conny will surely make that clear to me :)
>>>   
>>
>> Not sure either. If anything it might be a good candidate for an inline
>> function.
> 
> If we don't process read info outside of this file, no need to move it
> to a header. The compiler is probably also smart enough to inline it on
> its own, I guess.
> 
> 

I'm also ok with the names and the rest


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]