From: Collin Walling <walling@linux.ibm.com>
To: qemu-devel@nongnu.org, qemu-s390x@nongnu.org
Cc: thuth@redhat.com, frankja@linux.ibm.com, david@redhat.com,
cohuck@redhat.com, pasic@linux.ibm.com, borntraeger@de.ibm.com,
mst@redhat.com, svens@linux.ibm.com, pbonzini@redhat.com,
mihajlov@linux.ibm.com, rth@twiddle.net
Subject: [PATCH v3 2/8] s390/sclp: check sccb len before filling in data
Date: Thu, 18 Jun 2020 18:22:52 -0400 [thread overview]
Message-ID: <20200618222258.23287-3-walling@linux.ibm.com> (raw)
In-Reply-To: <20200618222258.23287-1-walling@linux.ibm.com>
The SCCB must be checked for a sufficient length before it is filled
with any data. If the length is insufficient, then the SCLP command
is suppressed and the proper response code is set in the SCCB header.
Fixes: 832be0d8a3bb ("s390x: sclp: Report insufficient SCCB length")
Signed-off-by: Collin Walling <walling@linux.ibm.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
---
hw/s390x/sclp.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 7875334037..181ce04007 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -75,6 +75,12 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
int rnsize, rnmax;
IplParameterBlock *ipib = s390_ipl_get_iplb();
+ if (be16_to_cpu(sccb->h.length) <
+ (sizeof(ReadInfo) + machine->possible_cpus->len * sizeof(CPUEntry))) {
+ sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
+ return;
+ }
+
/* CPU information */
prepare_cpu_entries(machine, read_info->entries, &cpu_count);
read_info->entries_cpu = cpu_to_be16(cpu_count);
@@ -83,12 +89,6 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
read_info->ibc_val = cpu_to_be32(s390_get_ibc_val());
- if (be16_to_cpu(sccb->h.length) <
- (sizeof(ReadInfo) + cpu_count * sizeof(CPUEntry))) {
- sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
- return;
- }
-
/* Configuration Characteristic (Extension) */
s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR,
read_info->conf_char);
@@ -135,17 +135,17 @@ static void sclp_read_cpu_info(SCLPDevice *sclp, SCCB *sccb)
ReadCpuInfo *cpu_info = (ReadCpuInfo *) sccb;
int cpu_count;
- prepare_cpu_entries(machine, cpu_info->entries, &cpu_count);
- cpu_info->nr_configured = cpu_to_be16(cpu_count);
- cpu_info->offset_configured = cpu_to_be16(offsetof(ReadCpuInfo, entries));
- cpu_info->nr_standby = cpu_to_be16(0);
-
if (be16_to_cpu(sccb->h.length) <
- (sizeof(ReadCpuInfo) + cpu_count * sizeof(CPUEntry))) {
+ (sizeof(ReadInfo) + machine->possible_cpus->len * sizeof(CPUEntry))) {
sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
return;
}
+ prepare_cpu_entries(machine, cpu_info->entries, &cpu_count);
+ cpu_info->nr_configured = cpu_to_be16(cpu_count);
+ cpu_info->offset_configured = cpu_to_be16(offsetof(ReadCpuInfo, entries));
+ cpu_info->nr_standby = cpu_to_be16(0);
+
/* The standby offset is 16-byte for each CPU */
cpu_info->offset_standby = cpu_to_be16(cpu_info->offset_configured
+ cpu_info->nr_configured*sizeof(CPUEntry));
--
2.21.3
next prev parent reply other threads:[~2020-06-18 22:24 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-18 22:22 [PATCH v3 0/8] s390: Extended-Length SCCB & DIAGNOSE 0x318 Collin Walling
2020-06-18 22:22 ` [PATCH v3 1/8] s390/sclp: get machine once during read scp/cpu info Collin Walling
2020-06-19 8:12 ` Janosch Frank
2020-06-22 10:30 ` Cornelia Huck
2020-06-18 22:22 ` Collin Walling [this message]
2020-06-19 14:45 ` [PATCH v3 2/8] s390/sclp: check sccb len before filling in data David Hildenbrand
2020-06-22 10:32 ` Cornelia Huck
2020-06-24 12:01 ` Thomas Huth
2020-06-18 22:22 ` [PATCH v3 3/8] s390/sclp: rework sclp boundary and length checks Collin Walling
2020-06-19 10:50 ` Janosch Frank
2020-06-22 10:43 ` Cornelia Huck
2020-06-22 15:20 ` Christian Borntraeger
2020-06-22 15:22 ` Christian Borntraeger
2020-06-22 15:54 ` Collin Walling
2020-06-18 22:22 ` [PATCH v3 4/8] s390/sclp: read sccb from mem based on sccb length Collin Walling
2020-06-19 8:18 ` Janosch Frank
2020-06-22 10:45 ` Cornelia Huck
2020-06-18 22:22 ` [PATCH v3 5/8] s390/sclp: use cpu offset to locate cpu entries Collin Walling
2020-06-19 8:21 ` Janosch Frank
2020-06-22 10:47 ` Cornelia Huck
2020-06-18 22:22 ` [PATCH v3 6/8] s390/sclp: add extended-length sccb support for kvm guest Collin Walling
2020-06-24 12:36 ` Cornelia Huck
2020-06-24 12:40 ` Thomas Huth
2020-06-24 12:55 ` Cornelia Huck
2020-06-24 14:49 ` Collin Walling
2020-06-24 14:57 ` Cornelia Huck
2020-06-24 15:19 ` Thomas Huth
2020-06-18 22:22 ` [PATCH v3 7/8] s390/kvm: header sync for diag318 Collin Walling
2020-06-18 22:22 ` [PATCH v3 8/8] s390: guest support for diagnose 0x318 Collin Walling
2020-06-19 9:21 ` Janosch Frank
2020-06-24 12:49 ` Cornelia Huck
2020-06-18 22:33 ` [PATCH v3 0/8] s390: Extended-Length SCCB & DIAGNOSE 0x318 no-reply
2020-06-18 22:51 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618222258.23287-3-walling@linux.ibm.com \
--to=walling@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=mihajlov@linux.ibm.com \
--cc=mst@redhat.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=rth@twiddle.net \
--cc=svens@linux.ibm.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).