From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: <linux-cxl@vger.kernel.org>, <mst@redhat.com>,
<qemu-devel@nongnu.org>, Esifiel <esifiel@gmail.com>,
Fan Ni <fan.ni@samsung.com>, <linuxarm@huawei.com>
Subject: Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes
Date: Fri, 8 Nov 2024 14:47:54 +0000 [thread overview]
Message-ID: <20241108144754.00003a92@huawei.com> (raw)
In-Reply-To: <CAFEAcA8LB3t0n_BqjBeEejfmVVYMbQ1rT9qwEbsNEoUDbkym9A@mail.gmail.com>
On Thu, 7 Nov 2024 15:39:13 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> On Fri, 1 Nov 2024 at 13:43, Jonathan Cameron via <qemu-devel@nongnu.org> wrote:
> >
> > In cmd_features_set_feature() the an offset + data size schemed
> > is used to allow for large features. Ensure this does not write
> > beyond the end fo the buffers used to accumulate the full feature
> > attribute set.
> >
> > Reported-by: Esifiel <esifiel@gmail.com>
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > ---
> > hw/cxl/cxl-mailbox-utils.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> > index a40d81219c..078782e8b9 100644
> > --- a/hw/cxl/cxl-mailbox-utils.c
> > +++ b/hw/cxl/cxl-mailbox-utils.c
> > @@ -1292,6 +1292,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
> >
> > ps_set_feature = (void *)payload_in;
> > ps_write_attrs = &ps_set_feature->feat_data;
> > +
> > + if ((uint32_t)hdr->offset + bytes_to_copy >
> > + sizeof(ct3d->patrol_scrub_wr_attrs)) {
> > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> > + }
>
> Coverity complains about this code (CID 1564900, 1564901).
> Essentially it does not like that this check permits
> the memcpy for the case where hdr->offset is 2 and
> bytes_to_copy is 0, because memcpy(invalid_dest, src, 0)
> is still UB even though you might logically expect it
> to do nothing.
Huh. Something new I learned today ;)
Anyhow, it makes little sense to have a set feature with zero length payload
so I can check for this before we even know what type of payload this is,
thus catching both cases here.
I'll spin a patch shortly.
thanks
Jonathan
>
> > memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset,
> > ps_write_attrs,
> > bytes_to_copy);
>
> > @@ -1314,6 +1319,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
> >
> > ecs_set_feature = (void *)payload_in;
> > ecs_write_attrs = ecs_set_feature->feat_data;
> > +
> > + if ((uint32_t)hdr->offset + bytes_to_copy >
> > + sizeof(ct3d->ecs_wr_attrs)) {
> > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> > + }
> > memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset,
> > ecs_write_attrs,
> > bytes_to_copy);
>
> Similarly here.
>
> thanks
> -- PMM
next prev parent reply other threads:[~2024-11-08 14:48 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-01 13:39 [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input Jonathan Cameron
2024-11-01 13:39 ` [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands Jonathan Cameron
2024-11-05 18:01 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature() Jonathan Cameron
2024-11-05 20:59 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records() Jonathan Cameron
2024-11-05 21:01 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer() Jonathan Cameron
2024-11-05 21:04 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log() Jonathan Cameron
2024-11-05 21:12 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log Jonathan Cameron
2024-11-05 21:18 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd() Jonathan Cameron
2024-11-05 21:20 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes Jonathan Cameron
2024-11-05 21:32 ` Fan Ni
2024-11-07 15:39 ` Peter Maydell
2024-11-08 14:47 ` Jonathan Cameron [this message]
2024-11-01 13:39 ` [PATCH qemu 09/10] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() Jonathan Cameron
2024-11-05 21:36 ` Fan Ni
2024-11-01 13:39 ` [PATCH qemu 10/10] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() Jonathan Cameron
2024-11-05 21:37 ` Fan Ni
2024-11-01 13:45 ` [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241108144754.00003a92@huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=esifiel@gmail.com \
--cc=fan.ni@samsung.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox