From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: <linux-cxl@vger.kernel.org>, <mst@redhat.com>,
<qemu-devel@nongnu.org>, Esifiel <esifiel@gmail.com>,
Fan Ni <fan.ni@samsung.com>, <linuxarm@huawei.com>
Subject: Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes
Date: Fri, 8 Nov 2024 14:47:54 +0000 [thread overview]
Message-ID: <20241108144754.00003a92@huawei.com> (raw)
In-Reply-To: <CAFEAcA8LB3t0n_BqjBeEejfmVVYMbQ1rT9qwEbsNEoUDbkym9A@mail.gmail.com>
On Thu, 7 Nov 2024 15:39:13 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> On Fri, 1 Nov 2024 at 13:43, Jonathan Cameron via <qemu-devel@nongnu.org> wrote:
> >
> > In cmd_features_set_feature() the an offset + data size schemed
> > is used to allow for large features. Ensure this does not write
> > beyond the end fo the buffers used to accumulate the full feature
> > attribute set.
> >
> > Reported-by: Esifiel <esifiel@gmail.com>
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > ---
> > hw/cxl/cxl-mailbox-utils.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> > index a40d81219c..078782e8b9 100644
> > --- a/hw/cxl/cxl-mailbox-utils.c
> > +++ b/hw/cxl/cxl-mailbox-utils.c
> > @@ -1292,6 +1292,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
> >
> > ps_set_feature = (void *)payload_in;
> > ps_write_attrs = &ps_set_feature->feat_data;
> > +
> > + if ((uint32_t)hdr->offset + bytes_to_copy >
> > + sizeof(ct3d->patrol_scrub_wr_attrs)) {
> > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> > + }
>
> Coverity complains about this code (CID 1564900, 1564901).
> Essentially it does not like that this check permits
> the memcpy for the case where hdr->offset is 2 and
> bytes_to_copy is 0, because memcpy(invalid_dest, src, 0)
> is still UB even though you might logically expect it
> to do nothing.
Huh. Something new I learned today ;)
Anyhow, it makes little sense to have a set feature with zero length payload
so I can check for this before we even know what type of payload this is,
thus catching both cases here.
I'll spin a patch shortly.
thanks
Jonathan
>
> > memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset,
> > ps_write_attrs,
> > bytes_to_copy);
>
> > @@ -1314,6 +1319,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
> >
> > ecs_set_feature = (void *)payload_in;
> > ecs_write_attrs = ecs_set_feature->feat_data;
> > +
> > + if ((uint32_t)hdr->offset + bytes_to_copy >
> > + sizeof(ct3d->ecs_wr_attrs)) {
> > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> > + }
> > memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset,
> > ecs_write_attrs,
> > bytes_to_copy);
>
> Similarly here.
>
> thanks
> -- PMM
WARNING: multiple messages have this Message-ID (diff)
From: Jonathan Cameron via <qemu-devel@nongnu.org>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: <linux-cxl@vger.kernel.org>, <mst@redhat.com>,
<qemu-devel@nongnu.org>, Esifiel <esifiel@gmail.com>,
Fan Ni <fan.ni@samsung.com>, <linuxarm@huawei.com>
Subject: Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes
Date: Fri, 8 Nov 2024 14:47:54 +0000 [thread overview]
Message-ID: <20241108144754.00003a92@huawei.com> (raw)
In-Reply-To: <CAFEAcA8LB3t0n_BqjBeEejfmVVYMbQ1rT9qwEbsNEoUDbkym9A@mail.gmail.com>
On Thu, 7 Nov 2024 15:39:13 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> On Fri, 1 Nov 2024 at 13:43, Jonathan Cameron via <qemu-devel@nongnu.org> wrote:
> >
> > In cmd_features_set_feature() the an offset + data size schemed
> > is used to allow for large features. Ensure this does not write
> > beyond the end fo the buffers used to accumulate the full feature
> > attribute set.
> >
> > Reported-by: Esifiel <esifiel@gmail.com>
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > ---
> > hw/cxl/cxl-mailbox-utils.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> > index a40d81219c..078782e8b9 100644
> > --- a/hw/cxl/cxl-mailbox-utils.c
> > +++ b/hw/cxl/cxl-mailbox-utils.c
> > @@ -1292,6 +1292,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
> >
> > ps_set_feature = (void *)payload_in;
> > ps_write_attrs = &ps_set_feature->feat_data;
> > +
> > + if ((uint32_t)hdr->offset + bytes_to_copy >
> > + sizeof(ct3d->patrol_scrub_wr_attrs)) {
> > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> > + }
>
> Coverity complains about this code (CID 1564900, 1564901).
> Essentially it does not like that this check permits
> the memcpy for the case where hdr->offset is 2 and
> bytes_to_copy is 0, because memcpy(invalid_dest, src, 0)
> is still UB even though you might logically expect it
> to do nothing.
Huh. Something new I learned today ;)
Anyhow, it makes little sense to have a set feature with zero length payload
so I can check for this before we even know what type of payload this is,
thus catching both cases here.
I'll spin a patch shortly.
thanks
Jonathan
>
> > memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset,
> > ps_write_attrs,
> > bytes_to_copy);
>
> > @@ -1314,6 +1319,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
> >
> > ecs_set_feature = (void *)payload_in;
> > ecs_write_attrs = ecs_set_feature->feat_data;
> > +
> > + if ((uint32_t)hdr->offset + bytes_to_copy >
> > + sizeof(ct3d->ecs_wr_attrs)) {
> > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> > + }
> > memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset,
> > ecs_write_attrs,
> > bytes_to_copy);
>
> Similarly here.
>
> thanks
> -- PMM
next prev parent reply other threads:[~2024-11-08 14:48 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-01 13:39 [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-01 13:39 ` [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 18:01 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 20:59 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:01 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:04 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:12 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:18 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:20 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:32 ` Fan Ni
2024-11-07 15:39 ` Peter Maydell
2024-11-08 14:47 ` Jonathan Cameron [this message]
2024-11-08 14:47 ` Jonathan Cameron via
2024-11-01 13:39 ` [PATCH qemu 09/10] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:36 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 10/10] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() Jonathan Cameron
2024-11-01 13:39 ` Jonathan Cameron via
2024-11-05 21:37 ` Fan Ni
2024-11-01 13:45 ` [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input Jonathan Cameron
2024-11-01 13:45 ` Jonathan Cameron via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241108144754.00003a92@huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=esifiel@gmail.com \
--cc=fan.ni@samsung.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.