From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org, qemu-s390x@nongnu.org, qemu-ppc@nongnu.org,
qemu-riscv@nongnu.org, qemu-block@nongnu.org,
"Peter Maydell" <peter.maydell@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Gerd Hoffmann" <kraxel@redhat.com>
Subject: [PULL 32/41] hw/usb/hcd-xhci: Avoid variable-length array in xhci_get_port_bandwidth()
Date: Thu, 31 Aug 2023 14:56:34 +0200 [thread overview]
Message-ID: <20230831125646.67855-33-philmd@linaro.org> (raw)
In-Reply-To: <20230831125646.67855-1-philmd@linaro.org>
From: Peter Maydell <peter.maydell@linaro.org>
In xhci_get_port_bandwidth(), we use a variable-length array to
construct the buffer to send back to the guest. Avoid the VLA
by using dma_memory_set() to directly request the memory system
to fill the guest memory with a string of '80's.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230824164818.2652452-1-peter.maydell@linaro.org>
---
hw/usb/hcd-xhci.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index b89b618ec2..324177ad5d 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -2434,7 +2434,6 @@ static void xhci_detach_slot(XHCIState *xhci, USBPort *uport)
static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx)
{
dma_addr_t ctx;
- uint8_t bw_ctx[xhci->numports+1];
DPRINTF("xhci_get_port_bandwidth()\n");
@@ -2442,11 +2441,10 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx)
DPRINTF("xhci: bandwidth context at "DMA_ADDR_FMT"\n", ctx);
- /* TODO: actually implement real values here */
- bw_ctx[0] = 0;
- memset(&bw_ctx[1], 80, xhci->numports); /* 80% */
- if (dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx),
- MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ /* TODO: actually implement real values here. This is 80% for all ports. */
+ if (stb_dma(xhci->as, ctx, 0, MEMTXATTRS_UNSPECIFIED) != MEMTX_OK ||
+ dma_memory_set(xhci->as, ctx + 1, 80, xhci->numports,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory write failed!\n",
__func__);
return CC_TRB_ERROR;
--
2.41.0
next prev parent reply other threads:[~2023-08-31 13:16 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-31 12:56 [PULL 00/41] Misc patches for 2023-08-31 Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 01/41] accel: Remove HAX accelerator Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 02/41] accel/tcg: spelling fixes Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 03/41] qemu/uri: Use QueryParams type definition Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 04/41] bulk: Do not declare function prototypes using 'extern' keyword Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 05/41] hw/net/i82596: Include missing 'exec/address-spaces.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 06/41] hw/dma/etraxfs: Include missing 'exec/memory.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 07/41] exec/address-spaces.h: Remove unuseful 'exec/memory.h' include Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 08/41] target/ppc/pmu: Include missing 'qemu/timer.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 09/41] target/riscv/pmu: Restrict 'qemu/log.h' include to source Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 10/41] target/translate: Include missing 'exec/cpu_ldst.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 11/41] target/translate: Remove unnecessary " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 12/41] target/translate: Restrict 'exec/cpu_ldst.h' to user emulation Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 13/41] target/helpers: Remove unnecessary 'exec/cpu_ldst.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 14/41] target/helpers: Remove unnecessary 'qemu/main-loop.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 15/41] target/mips: Remove unused headers in lcsr_helper.c Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 16/41] target/xtensa: Include missing 'qemu/atomic.h' header Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 17/41] qemu/processor: Remove unused " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 18/41] exec/translation-block: Clean up includes Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 19/41] chardev/char-fe: Document FEWatchFunc typedef Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 20/41] hw/char: Have FEWatchFunc handlers return G_SOURCE_CONTINUE/REMOVE Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 21/41] hw/char/pl011: Restrict MemoryRegionOps implementation access sizes Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 22/41] hw/char/pl011: Display register name in trace events Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 23/41] hw/char/pl011: Remove duplicated PL011_INT_[RT]X definitions Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 24/41] hw/char/pl011: Replace magic values by register field definitions Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 25/41] hw/i2c/pmbus_device: Fix modifying QOM class internals from instance Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 26/41] hw/i2c: spelling fixes Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 27/41] hw/ide: " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 28/41] hw/display: " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 29/41] hw/mips: " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 30/41] hw/sd: " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 31/41] hw/usb: " Philippe Mathieu-Daudé
2023-08-31 12:56 ` Philippe Mathieu-Daudé [this message]
2023-08-31 12:56 ` [PULL 33/41] hw/i386: Remove unuseful kvmclock_create() stub Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 34/41] hw/i386: Rename 'hw/kvm/clock.h' -> 'hw/i386/kvm/clock.h' Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 35/41] util/fifo8: Fix typo in fifo8_push_all() description Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 36/41] util: spelling fixes Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 37/41] ui: " Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 38/41] docs/style: permit inline loop variables Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 39/41] meson: Fix MESONINTROSPECT parsing Philippe Mathieu-Daudé
2023-08-31 13:06 ` Michael Tokarev
2023-08-31 13:47 ` Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 40/41] build: Only define OS_OBJECT_USE_OBJC with gcc Philippe Mathieu-Daudé
2023-08-31 12:56 ` [PULL 41/41] tests/tcg/aarch64: Rename bti-crt.inc.c -> bti-crt.c.inc Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230831125646.67855-33-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=kraxel@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=qemu-s390x@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).