[Qemu-devel] [PATCH] highbank: validate register offset before access

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] highbank: validate register offset before access
@ 2017-11-09 11:58 P J P
  2017-11-10 13:35 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
  0 siblings, 1 reply; 3+ messages in thread
From: P J P @ 2017-11-09 11:58 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Peter Maydell, qemu-arm, Moguofang, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

An 'offset' parameter sent to highbank register r/w functions
could be greater than number(NUM_REGS=0x200) of hb registers,
leading to an OOB access issue. Add check to avoid it.

Reported-by: Moguofang (Dennis mo) <moguofang@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/arm/highbank.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index 354c6b25a8..94df151454 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -117,6 +117,9 @@ static void hb_regs_write(void *opaque, hwaddr offset,
         }
     }
 
+    if (offset / 4 >= NUM_REGS) {
+        return;
+    }
     regs[offset/4] = value;
 }
 
@@ -124,6 +127,10 @@ static uint64_t hb_regs_read(void *opaque, hwaddr offset,
                              unsigned size)
 {
     uint32_t *regs = opaque;
+
+    if (offset / 4 >= NUM_REGS) {
+        return 0;
+    }
     uint32_t value = regs[offset/4];
 
     if ((offset == 0x100) || (offset == 0x108) || (offset == 0x10C)) {
-- 
2.13.6

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [Qemu-arm] [PATCH] highbank: validate register offset before access
  2017-11-09 11:58 [Qemu-devel] [PATCH] highbank: validate register offset before access P J P
@ 2017-11-10 13:35 ` Philippe Mathieu-Daudé
  2017-11-11  8:13   ` P J P
  0 siblings, 1 reply; 3+ messages in thread
From: Philippe Mathieu-Daudé @ 2017-11-10 13:35 UTC (permalink / raw)
  To: P J P, Qemu Developers, Moguofang
  Cc: Peter Maydell, qemu-arm, Prasad J Pandit, Shawn Guo, Rob Herring

Hi Prasad, Moguofang.

On 11/09/2017 08:58 AM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> An 'offset' parameter sent to highbank register r/w functions
> could be greater than number(NUM_REGS=0x200) of hb registers,
> leading to an OOB access issue. Add check to avoid it.
> 
> Reported-by: Moguofang (Dennis mo) <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/arm/highbank.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
> index 354c6b25a8..94df151454 100644
> --- a/hw/arm/highbank.c
> +++ b/hw/arm/highbank.c
> @@ -117,6 +117,9 @@ static void hb_regs_write(void *opaque, hwaddr offset,
>          }
>      }
>  
> +    if (offset / 4 >= NUM_REGS) {

I'd report that:

           qemu_log_mask(LOG_UNIMP, ...

Cc'ing Shawn & Rob since this might also be a LOG_GUEST_ERROR.

> +        return;
> +    }
>      regs[offset/4] = value;
>  }
>  
> @@ -124,6 +127,10 @@ static uint64_t hb_regs_read(void *opaque, hwaddr offset,
>                               unsigned size)
>  {
>      uint32_t *regs = opaque;
> +
> +    if (offset / 4 >= NUM_REGS) {

Ditto.

> +        return 0;
> +    }

>From CODING_STYLE:

Mixed declarations (interleaving statements and declarations within
blocks) are generally not allowed; declarations should be at the
beginning of blocks.

>      uint32_t value = regs[offset/4];
>  
>      if ((offset == 0x100) || (offset == 0x108) || (offset == 0x10C)) {

Regards,

Phil.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [Qemu-arm] [PATCH] highbank: validate register offset before access
  2017-11-10 13:35 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
@ 2017-11-11  8:13   ` P J P
  0 siblings, 0 replies; 3+ messages in thread
From: P J P @ 2017-11-11  8:13 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé
  Cc: Qemu Developers, Moguofang, Peter Maydell, qemu-arm, Shawn Guo,
	Rob Herring

  Hello Philippe,

+-- On Fri, 10 Nov 2017, Philippe Mathieu-Daudé wrote --+
| I'd report that:
| 
|            qemu_log_mask(LOG_UNIMP, ...
| 
| Cc'ing Shawn & Rob since this might also be a LOG_GUEST_ERROR.
| 
| Mixed declarations (interleaving statements and declarations within
| blocks) are generally not allowed; declarations should be at the
| beginning of blocks.

Done. Sent a revised patch v1.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-11-11  8:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-09 11:58 [Qemu-devel] [PATCH] highbank: validate register offset before access P J P
2017-11-10 13:35 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
2017-11-11  8:13   ` P J P

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).