From: Titus Rwantare <titusr@google.com>
To: Corey Minyard <minyard@acm.org>
Cc: qemu-arm@nongnu.org, qemu-devel@nongnu.org, f4bug@amsat.org,
wuhaotsh@google.com, venture@google.com,
peter.maydell@linaro.org, Titus Rwantare <titusr@google.com>
Subject: [PATCH v3 2/9] hw/i2c: pmbus: guard against out of range accesses
Date: Tue, 1 Mar 2022 17:50:46 -0800 [thread overview]
Message-ID: <20220302015053.1984165-3-titusr@google.com> (raw)
In-Reply-To: <20220302015053.1984165-1-titusr@google.com>
Signed-off-by: Titus Rwantare <titusr@google.com>
---
hw/i2c/pmbus_device.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c
index 07a45c99f9..93c746bab3 100644
--- a/hw/i2c/pmbus_device.c
+++ b/hw/i2c/pmbus_device.c
@@ -243,18 +243,47 @@ void pmbus_check_limits(PMBusDevice *pmdev)
}
}
+/* assert the status_cml error upon receipt of malformed command */
+static void pmbus_cml_error(PMBusDevice *pmdev)
+{
+ for (int i = 0; i < pmdev->num_pages; i++) {
+ pmdev->pages[i].status_word |= PMBUS_STATUS_CML;
+ pmdev->pages[i].status_cml |= PB_CML_FAULT_INVALID_CMD;
+ }
+}
+
static uint8_t pmbus_receive_byte(SMBusDevice *smd)
{
PMBusDevice *pmdev = PMBUS_DEVICE(smd);
PMBusDeviceClass *pmdc = PMBUS_DEVICE_GET_CLASS(pmdev);
uint8_t ret = 0xFF;
- uint8_t index = pmdev->page;
+ uint8_t index;
if (pmdev->out_buf_len != 0) {
ret = pmbus_out_buf_pop(pmdev);
return ret;
}
+ /*
+ * Reading from all pages will return the value from page 0,
+ * this is unspecified behaviour in general.
+ */
+ if (pmdev->page == PB_ALL_PAGES) {
+ index = 0;
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: tried to read from all pages\n",
+ __func__);
+ pmbus_cml_error(pmdev);
+ } else if (pmdev->page > pmdev->num_pages - 1) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: page %d is out of range\n",
+ __func__, pmdev->page);
+ pmbus_cml_error(pmdev);
+ return -1;
+ } else {
+ index = pmdev->page;
+ }
+
switch (pmdev->code) {
case PMBUS_PAGE:
pmbus_send8(pmdev, pmdev->page);
@@ -1038,6 +1067,7 @@ static int pmbus_write_data(SMBusDevice *smd, uint8_t *buf, uint8_t len)
pmdev->page = pmbus_receive8(pmdev);
return 0;
}
+
/* loop through all the pages when 0xFF is received */
if (pmdev->page == PB_ALL_PAGES) {
for (int i = 0; i < pmdev->num_pages; i++) {
@@ -1048,6 +1078,15 @@ static int pmbus_write_data(SMBusDevice *smd, uint8_t *buf, uint8_t len)
return 0;
}
+ if (pmdev->page > pmdev->num_pages - 1) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: page %u is out of range\n",
+ __func__, pmdev->page);
+ pmdev->page = 0; /* undefined behaviour - reset to page 0 */
+ pmbus_cml_error(pmdev);
+ return -1;
+ }
+
index = pmdev->page;
switch (pmdev->code) {
--
2.35.1.616.g0bdcbb4464-goog
next prev parent reply other threads:[~2022-03-02 1:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-02 1:50 [PATCH v3 0/9] This patch series contains updates to PMBus in QEMU along with some PMBus device models for Renesas regulators. I have also added myself to MAINTAINERS as this code is in use daily, where I am responsible for it Titus Rwantare
2022-03-02 1:50 ` [PATCH v3 1/9] hw/i2c: pmbus: add registers Titus Rwantare
2022-03-05 0:19 ` Philippe Mathieu-Daudé
2022-03-02 1:50 ` Titus Rwantare [this message]
2022-03-05 0:08 ` [PATCH v3 2/9] hw/i2c: pmbus: guard against out of range accesses Philippe Mathieu-Daudé
2022-03-07 19:30 ` Titus Rwantare
2022-03-02 1:50 ` [PATCH v3 3/9] hw/i2c: pmbus: add PEC unsupported warning Titus Rwantare
2022-03-05 0:01 ` Philippe Mathieu-Daudé
2022-03-07 19:31 ` Titus Rwantare
2022-03-02 1:50 ` [PATCH v3 4/9] hw/i2c: pmbus: refactor uint handling Titus Rwantare
2022-03-04 23:59 ` Philippe Mathieu-Daudé
2022-03-02 1:50 ` [PATCH v3 5/9] hw/i2c: pmbus: update MAINTAINERS Titus Rwantare
2022-03-04 23:52 ` Philippe Mathieu-Daudé
2022-03-02 1:50 ` [PATCH v3 6/9] hw/i2c: Added linear mode translation for pmbus devices Titus Rwantare
2022-03-04 23:53 ` Philippe Mathieu-Daudé
2022-03-02 1:50 ` [PATCH v3 7/9] hw/sensor: add Intersil ISL69260 device model Titus Rwantare
2022-03-05 0:17 ` Philippe Mathieu-Daudé
2022-03-02 1:50 ` [PATCH v3 8/9] hw/sensor: add Renesas raa229004 PMBus device Titus Rwantare
2022-03-04 23:54 ` Philippe Mathieu-Daudé
2022-03-02 1:50 ` [PATCH v3 9/9] hw/sensor: add Renesas raa228000 device Titus Rwantare
2022-03-04 23:58 ` Philippe Mathieu-Daudé
2022-03-04 21:43 ` [PATCH v3 0/9] This patch series contains updates to PMBus in QEMU along with some PMBus device models for Renesas regulators. I have also added myself to MAINTAINERS as this code is in use daily, where I am responsible for it Corey Minyard
2022-03-04 23:42 ` Titus Rwantare
2022-03-07 0:00 ` Philippe Mathieu-Daudé
2022-03-08 13:53 ` Corey Minyard
2022-03-08 18:08 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220302015053.1984165-3-titusr@google.com \
--to=titusr@google.com \
--cc=f4bug@amsat.org \
--cc=minyard@acm.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=venture@google.com \
--cc=wuhaotsh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.