From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org, peter.maydell@linaro.org
Cc: Jason Wang <jasowang@redhat.com>, Pavel Pisa <pisa@cmp.felk.cvut.cz>
Subject: [PULL 14/17] hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
Date: Wed, 11 Nov 2020 21:11:38 +0800 [thread overview]
Message-ID: <1605100301-11317-15-git-send-email-jasowang@redhat.com> (raw)
In-Reply-To: <1605100301-11317-1-git-send-email-jasowang@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
The ctucan device has 4 CAN bus cores, each of which has a set of 20
32-bit registers for writing the transmitted data. The registers are
however not contiguous; each core's buffers is 0x100 bytes after
the last.
We got the checks on the address wrong in the ctucan_mem_write()
function:
* the first "is addr in range at all" check allowed
addr == CTUCAN_CORE_MEM_SIZE, which is actually the first
byte off the end of the range
* the decode of addresses into core-number plus offset in the
tx buffer for that core failed to check that the offset was
in range, so the guest could write off the end of the
tx_buffer[] array
NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM,
etc, make "buff_num >= CTUCAN_CORE_TXBUF_NUM" impossible, but we
retain this as a runtime check rather than an assertion to permit
those values to be changed in future (in hardware they are
configurable synthesis parameters).
Fix the top level check, and check the offset is within the buffer.
Fixes: Coverity CID 1432874
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Tested-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/can/ctucan_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/can/ctucan_core.c b/hw/net/can/ctucan_core.c
index d20835c..8486f42 100644
--- a/hw/net/can/ctucan_core.c
+++ b/hw/net/can/ctucan_core.c
@@ -303,7 +303,7 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val,
DPRINTF("write 0x%02llx addr 0x%02x\n",
(unsigned long long)val, (unsigned int)addr);
- if (addr > CTUCAN_CORE_MEM_SIZE) {
+ if (addr >= CTUCAN_CORE_MEM_SIZE) {
return;
}
@@ -312,7 +312,9 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val,
addr -= CTU_CAN_FD_TXTB1_DATA_1;
buff_num = addr / CTUCAN_CORE_TXBUFF_SPAN;
addr %= CTUCAN_CORE_TXBUFF_SPAN;
- if (buff_num < CTUCAN_CORE_TXBUF_NUM) {
+ addr &= ~3;
+ if ((buff_num < CTUCAN_CORE_TXBUF_NUM) &&
+ (addr < sizeof(s->tx_buffer[buff_num].data))) {
uint32_t *bufp = (uint32_t *)(s->tx_buffer[buff_num].data + addr);
*bufp = cpu_to_le32(val);
}
--
2.7.4
next prev parent reply other threads:[~2020-11-11 13:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-11 13:11 [PULL 00/17] Net patches Jason Wang
2020-11-11 13:11 ` [PULL 01/17] virtio-net: Set mac address to hardware if the peer is vdpa Jason Wang
2020-11-11 13:11 ` [PULL 02/17] net/filter-rewriter: destroy g_hash_table in colo_rewriter_cleanup Jason Wang
2020-11-11 13:11 ` [PULL 03/17] Optimize seq_sorter function for colo-compare Jason Wang
2020-11-11 13:11 ` [PULL 04/17] Reduce the time of checkpoint for COLO Jason Wang
2020-11-11 13:11 ` [PULL 05/17] Fix the qemu crash when guest shutdown in COLO mode Jason Wang
2020-11-11 13:11 ` [PULL 06/17] colo-compare: fix missing compare_seq initialization Jason Wang
2020-11-11 13:11 ` [PULL 07/17] colo-compare: check mark in mutual exclusion Jason Wang
2020-11-11 13:11 ` [PULL 08/17] net/colo-compare.c: Fix compare_timeout format issue Jason Wang
2020-11-11 13:11 ` [PULL 09/17] net/colo-compare.c: Change the timer clock type Jason Wang
2020-11-11 13:11 ` [PULL 10/17] net/colo-compare.c: Add secondary old packet detection Jason Wang
2020-11-11 13:11 ` [PULL 11/17] net/colo-compare.c: Increase default queued packet scan frequency Jason Wang
2020-11-11 13:11 ` [PULL 12/17] net: remove an assert call in eth_get_gso_type Jason Wang
2020-11-11 13:11 ` [PULL 13/17] net/l2tpv3: Remove redundant check in net_init_l2tpv3() Jason Wang
2020-11-11 13:11 ` Jason Wang [this message]
2020-11-11 13:11 ` [PULL 15/17] hw/net/can/ctucan: Avoid unused value in ctucan_send_ready_buffers() Jason Wang
2020-11-11 13:11 ` [PULL 16/17] hw/net/can/ctucan_core: Handle big-endian hosts Jason Wang
2020-11-11 13:11 ` [PULL 17/17] hw/net/can/ctucan_core: Use stl_le_p to write to tx_buffers Jason Wang
2020-11-11 14:55 ` [PULL 00/17] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1605100301-11317-15-git-send-email-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pisa@cmp.felk.cvut.cz \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).