Re: [Qemu-devel] [PATCH] pci: Common overflow prevention

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Isaku Yamahata <yamahata@valinux.co.jp>,
	qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH] pci: Common overflow prevention
Date: Fri, 22 Jul 2011 08:32:14 +0300	[thread overview]
Message-ID: <20110722052707.GA8241@redhat.com> (raw)
In-Reply-To: <4E2858C2.5050909@siemens.com>

On Thu, Jul 21, 2011 at 06:50:10PM +0200, Jan Kiszka wrote:
> Introduce pci_config_read/write_common helpers to prevent passing
> accesses down the callback chain that go beyond the config space limits.
> Adjust length assertions as they are no longer correct (cutting may
> generate valid 3 byte accesses).
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
> 
> Now I have to deal with 3 byte config space access for device
> assignment, but Michael was right, such things are possible, even in
> PCIe.
> 
>  hw/pci.c       |    6 ++----
>  hw/pci_host.c  |   24 ++++++++++++++++++++----
>  hw/pci_host.h  |    6 ++++++
>  hw/pcie_host.c |   12 ++++++------
>  4 files changed, 34 insertions(+), 14 deletions(-)
> 
> diff --git a/hw/pci.c b/hw/pci.c
> index b904a4e..ef94739 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -1108,8 +1108,7 @@ uint32_t pci_default_read_config(PCIDevice *d,
>                                   uint32_t address, int len)
>  {
>      uint32_t val = 0;
> -    assert(len == 1 || len == 2 || len == 4);
> -    len = MIN(len, pci_config_size(d) - address);
> +
>      memcpy(&val, d->config + address, len);
>      return le32_to_cpu(val);
>  }
> @@ -1117,9 +1116,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
>  void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
>  {
>      int i, was_irq_disabled = pci_irq_disabled(d);
> -    uint32_t config_size = pci_config_size(d);
>  
> -    for (i = 0; i < l && addr + i < config_size; val >>= 8, ++i) {
> +    for (i = 0; i < l; val >>= 8, ++i) {
>          uint8_t wmask = d->wmask[addr + i];
>          uint8_t w1cmask = d->w1cmask[addr + i];
>          assert(!(wmask & w1cmask));
> diff --git a/hw/pci_host.c b/hw/pci_host.c
> index 728e2d4..bfdc321 100644
> --- a/hw/pci_host.c
> +++ b/hw/pci_host.c
> @@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus *bus, uint32_t addr)
>      return pci_find_device(bus, bus_num, devfn);
>  }
>  
> +void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
> +                             uint32_t limit, uint32_t val, uint32_t len)
> +{
> +    assert(len <= 4);
> +    pci_dev->config_write(pci_dev, addr, val, MIN(len, limit - addr));
> +}
> +
> +uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
> +                                uint32_t limit, uint32_t len)
> +{
> +    assert(len <= 4);
> +    return pci_dev->config_read(pci_dev, addr, MIN(len, limit - addr));
> +}
> +
>  void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
>  {
>      PCIDevice *pci_dev = pci_dev_find_by_addr(s, addr);
>      uint32_t config_addr = addr & (PCI_CONFIG_SPACE_SIZE - 1);
>  
> -    if (!pci_dev)
> +    if (!pci_dev) {
>          return;
> +    }
>  
>      PCI_DPRINTF("%s: %s: addr=%02" PRIx32 " val=%08" PRIx32 " len=%d\n",
>                  __func__, pci_dev->name, config_addr, val, len);
> -    pci_dev->config_write(pci_dev, config_addr, val, len);
> +    pci_config_write_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE, val,
> +                            len);
>  }
>  
>  uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
> @@ -66,12 +82,12 @@ uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
>      uint32_t config_addr = addr & (PCI_CONFIG_SPACE_SIZE - 1);
>      uint32_t val;
>  
> -    assert(len == 1 || len == 2 || len == 4);
>      if (!pci_dev) {
>          return ~0x0;
>      }
>  
> -    val = pci_dev->config_read(pci_dev, config_addr, len);
> +    val = pci_config_read_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE,
> +                                 len);
>      PCI_DPRINTF("%s: %s: addr=%02"PRIx32" val=%08"PRIx32" len=%d\n",
>                  __func__, pci_dev->name, config_addr, val, len);
>  
> diff --git a/hw/pci_host.h b/hw/pci_host.h
> index 0a58595..e95db6c 100644
> --- a/hw/pci_host.h
> +++ b/hw/pci_host.h
> @@ -39,6 +39,12 @@ struct PCIHostState {
>      PCIBus *bus;
>  };
>  
> +/* common internal helpers for PCI/PCIe hosts, cut off overflows */
> +void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
> +                             uint32_t addr_mask, uint32_t val, uint32_t len);
> +uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
> +                                uint32_t addr_mask, uint32_t len);
> +
>  void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len);
>  uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len);
>  
> diff --git a/hw/pcie_host.c b/hw/pcie_host.c
> index b749865..ed6656b 100644
> --- a/hw/pcie_host.c
> +++ b/hw/pcie_host.c
> @@ -57,22 +57,22 @@ static void pcie_mmcfg_data_write(PCIBus *s,
>  {
>      PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
>  
> -    if (!pci_dev)
> +    if (!pci_dev) {
>          return;
> -
> -    pci_dev->config_write(pci_dev,
> -                          PCIE_MMCFG_CONFOFFSET(mmcfg_addr), val, len);
> +    }
> +    pci_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
> +                            PCIE_CONFIG_SPACE_SIZE, val, len);
>  }
>  
>  static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
>  {
>      PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
>  
> -    assert(len == 1 || len == 2 || len == 4);
>      if (!pci_dev) {
>          return ~0x0;
>      }
> -    return pci_dev->config_read(pci_dev, PCIE_MMCFG_CONFOFFSET(addr), len);
> +    return pci_config_read_common(pci_dev, PCIE_MMCFG_CONFOFFSET(addr),
> +                                  PCIE_CONFIG_SPACE_SIZE, len);

Doesn't this one need to be pci_config_size(pci_dev)?
We can have pci devices on an express root complex
or behind an express to pci bridge.

>  }
>  
>  static void pcie_mmcfg_data_writeb(void *opaque,
> -- 
> 1.7.3.4

next prev parent reply	other threads:[~2011-07-22  5:31 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-21 16:50 [Qemu-devel] [PATCH] pci: Common overflow prevention Jan Kiszka
2011-07-22  5:32 ` Michael S. Tsirkin [this message]
2011-07-22  9:05   ` [Qemu-devel] [PATCH v2] " Jan Kiszka
2011-07-25 15:12     ` Michael S. Tsirkin
2011-07-25 15:17     ` Michael S. Tsirkin
2011-07-25 15:18       ` Jan Kiszka
2011-07-28  7:23     ` Isaku Yamahata
2011-07-28  8:40       ` Michael S. Tsirkin
2011-07-28 12:50         ` Isaku Yamahata
2011-07-29  1:01         ` Isaku Yamahata
2011-07-29  5:03           ` Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110722052707.GA8241@redhat.com \
    --to=mst@redhat.com \
    --cc=jan.kiszka@siemens.com \
    --cc=qemu-devel@nongnu.org \
    --cc=yamahata@valinux.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).