[PATCH 5.4 11/22] PCI: pci-bridge-emul: Fix array overruns, improve safety

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Marek Behún" <kabel@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: pali@kernel.org, stable@vger.kernel.org,
	"Russell King" <rmk+kernel@armlinux.org.uk>,
	"Bjorn Helgaas" <bhelgaas@google.com>,
	"Marek Behún" <kabel@kernel.org>
Subject: [PATCH 5.4 11/22] PCI: pci-bridge-emul: Fix array overruns, improve safety
Date: Thu, 25 Nov 2021 01:26:05 +0100	[thread overview]
Message-ID: <20211125002616.31363-12-kabel@kernel.org> (raw)
In-Reply-To: <20211125002616.31363-1-kabel@kernel.org>

From: Russell King <rmk+kernel@armlinux.org.uk>

commit f8ee579d53aca887d93f5f411462f25c085a5106 upstream.

We allow up to PCI_EXP_SLTSTA2 registers to be accessed, but the
pcie_cap_regs_behavior[] array only covers up to PCI_EXP_RTSTA.  Expand
this array to avoid walking off the end of it.

Do the same for pci_regs_behavior for consistency[], and add a
BUILD_BUG_ON() to also check the bridge->conf structure size.

Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic")
Link: https://lore.kernel.org/r/E1l6z9W-0006Re-MQ@rmk-PC.armlinux.org.uk
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
---
 drivers/pci/pci-bridge-emul.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/pci-bridge-emul.c b/drivers/pci/pci-bridge-emul.c
index b3d63e319bb3..3026346ccb18 100644
--- a/drivers/pci/pci-bridge-emul.c
+++ b/drivers/pci/pci-bridge-emul.c
@@ -21,8 +21,9 @@
 #include "pci-bridge-emul.h"
 
 #define PCI_BRIDGE_CONF_END	PCI_STD_HEADER_SIZEOF
+#define PCI_CAP_PCIE_SIZEOF	(PCI_EXP_SLTSTA2 + 2)
 #define PCI_CAP_PCIE_START	PCI_BRIDGE_CONF_END
-#define PCI_CAP_PCIE_END	(PCI_CAP_PCIE_START + PCI_EXP_SLTSTA2 + 2)
+#define PCI_CAP_PCIE_END	(PCI_CAP_PCIE_START + PCI_CAP_PCIE_SIZEOF)
 
 struct pci_bridge_reg_behavior {
 	/* Read-only bits */
@@ -38,7 +39,8 @@ struct pci_bridge_reg_behavior {
 	u32 rsvd;
 };
 
-static const struct pci_bridge_reg_behavior pci_regs_behavior[] = {
+static const
+struct pci_bridge_reg_behavior pci_regs_behavior[PCI_STD_HEADER_SIZEOF / 4] = {
 	[PCI_VENDOR_ID / 4] = { .ro = ~0 },
 	[PCI_COMMAND / 4] = {
 		.rw = (PCI_COMMAND_IO | PCI_COMMAND_MEMORY |
@@ -173,7 +175,8 @@ static const struct pci_bridge_reg_behavior pci_regs_behavior[] = {
 	},
 };
 
-static const struct pci_bridge_reg_behavior pcie_cap_regs_behavior[] = {
+static const
+struct pci_bridge_reg_behavior pcie_cap_regs_behavior[PCI_CAP_PCIE_SIZEOF / 4] = {
 	[PCI_CAP_LIST_ID / 4] = {
 		/*
 		 * Capability ID, Next Capability Pointer and
@@ -270,6 +273,8 @@ static const struct pci_bridge_reg_behavior pcie_cap_regs_behavior[] = {
 int pci_bridge_emul_init(struct pci_bridge_emul *bridge,
 			 unsigned int flags)
 {
+	BUILD_BUG_ON(sizeof(bridge->conf) != PCI_BRIDGE_CONF_END);
+
 	bridge->conf.class_revision |= cpu_to_le32(PCI_CLASS_BRIDGE_PCI << 16);
 	bridge->conf.header_type = PCI_HEADER_TYPE_BRIDGE;
 	bridge->conf.cache_line_size = 0x10;
-- 
2.32.0

next prev parent reply	other threads:[~2021-11-25  0:32 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-25  0:25 [PATCH 5.4 00/22] Armada 3720 PCIe fixes for 5.4 Marek Behún
2021-11-25  0:25 ` [PATCH 5.4 01/22] PCI: aardvark: Wait for endpoint to be ready before training link Marek Behún
2021-11-25  0:25 ` [PATCH 5.4 02/22] PCI: aardvark: Fix big endian support Marek Behún
2021-11-25  0:25 ` [PATCH 5.4 03/22] PCI: aardvark: Train link immediately after enabling training Marek Behún
2021-11-25  0:25 ` [PATCH 5.4 04/22] PCI: aardvark: Improve link training Marek Behún
2021-11-25  0:25 ` [PATCH 5.4 05/22] PCI: aardvark: Issue PERST via GPIO Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 06/22] PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 07/22] PCI: aardvark: Don't touch PCIe registers if no card connected Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 08/22] PCI: aardvark: Fix compilation on s390 Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 09/22] PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 10/22] PCI: aardvark: Update comment about disabling link training Marek Behún
2021-11-25  0:26 ` Marek Behún [this message]
2021-11-25  0:26 ` [PATCH 5.4 12/22] PCI: aardvark: Configure PCIe resources from 'ranges' DT property Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 13/22] PCI: aardvark: Fix PCIe Max Payload Size setting Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 14/22] PCI: aardvark: Deduplicate code in advk_pcie_rd_conf() Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 15/22] PCI: aardvark: Implement re-issuing config requests on CRS response Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 16/22] PCI: aardvark: Simplify initialization of rootcap on virtual bridge Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 17/22] PCI: aardvark: Fix link training Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 18/22] PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 19/22] PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 20/22] PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 21/22] pinctrl: armada-37xx: Correct PWM pins definitions Marek Behún
2021-11-25  0:26 ` [PATCH 5.4 22/22] arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function Marek Behún
2021-11-28 13:00 ` [PATCH 5.4 00/22] Armada 3720 PCIe fixes for 5.4 Greg Kroah-Hartman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b3d63e319bb dfblob:3026346ccb1 )
 OR (
bs:"[PATCH 5.4 11/22] PCI: pci-bridge-emul: Fix array overruns, improve safety" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211125002616.31363-12-kabel@kernel.org \
    --to=kabel@kernel.org \
    --cc=bhelgaas@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=pali@kernel.org \
    --cc=rmk+kernel@armlinux.org.uk \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.