From mboxrd@z Thu Jan  1 00:00:00 1970
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: [PATCH v1 03/10] xen/pt: Check if reg->init
 function sets the 'data' past the reg->size
Date: Fri, 17 Jul 2015 12:47:12 -0400
Message-ID: <20150717164712.GB19827__28393.1114864119$1437151718$gmane$org@l.oracle.com>
References: <1435866681-18468-1-git-send-email-konrad.wilk@oracle.com>
	<1435866681-18468-4-git-send-email-konrad.wilk@oracle.com>
	<alpine.DEB.2.02.1507171700570.17378@kaball.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <konrad.wilk@oracle.com>) id 1ZG8nC-0006xk-6h
	for xen-devel@lists.xenproject.org; Fri, 17 Jul 2015 16:47:22 +0000
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.02.1507171700570.17378@kaball.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: xen-devel@lists.xenproject.org, qemu-devel@nongnu.org, JBeulich@suse.com
List-Id: xen-devel@lists.xenproject.org

On Fri, Jul 17, 2015 at 05:03:44PM +0100, Stefano Stabellini wrote:
> On Thu, 2 Jul 2015, Konrad Rzeszutek Wilk wrote:
> > It should never happen, but in case it does (an developer adds
> > a new register and the 'init_val' expands past the register
> > size) we want to report. The code will only write up to
> > reg->size so there is no runtime danger of the register spilling
> > across other ones - however to catch this sort of thing
> > we still return an error.
> > 
> > Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> > ---
> >  hw/xen/xen_pt_config_init.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> > 
> > diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
> > index 3938afd..09309ba 100644
> > --- a/hw/xen/xen_pt_config_init.c
> > +++ b/hw/xen/xen_pt_config_init.c
> > @@ -1904,9 +1904,15 @@ static int xen_pt_config_reg_init(XenPCIPassthroughState *s,
> >          } else
> >              val = data;
> >  
> > +        if (val & ~size_mask) {
> > +            XEN_PT_ERR(&s->dev,"Offset 0x%04x:0x%04x expands past register size(%d)!\n",
> > +                       offset, val, reg->size);
> > +            g_free(reg_entry);
> > +            return -ENXIO;
> > +        }
> 
> If we worry about changes to init_val, wouldn't it be better to add
> QEMU_BUILD_BUG_ON(data & ~size_mask)?

Duh. Yes :-)
> 
> 
> >          /* This could be just pci_set_long as we don't modify the bits
> > -         * past reg->size, but in case this routine is run in parallel
> > -         * we do not want to over-write other registers. */
> > +         * past reg->size, but in case this routine is run in parallel or the
> > +         * init value is larger, we do not want to over-write registers. */
> >          switch (reg->size) {
> >          case 1: pci_set_byte(s->dev.config + offset, (uint8_t)val); break;
> >          case 2: pci_set_word(s->dev.config + offset, (uint16_t)val); break;
> > -- 
> > 2.1.0
> >