From: Nicholas Piggin <npiggin@gmail.com>
To: qemu-devel@nongnu.org
Cc: "Nicholas Piggin" <npiggin@gmail.com>,
qemu-ppc@nongnu.org, qemu-stable@nongnu.org,
"Cédric Le Goater" <clg@redhat.com>
Subject: [PULL 10/67] ppc/pnv: ADU fix possible buffer overrun with invalid size
Date: Mon, 4 Nov 2024 10:17:59 +1000 [thread overview]
Message-ID: <20241104001900.682660-11-npiggin@gmail.com> (raw)
In-Reply-To: <20241104001900.682660-1-npiggin@gmail.com>
The ADU LPC transfer-size field is 7 bits, but the supported sizes for
LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could
overrun if firmware set an invalid size field, so add checks to reject
them with a message.
Cc: qemu-stable@nongnu.org
Reported-by: Cédric Le Goater <clg@redhat.com>
Resolves: Coverity CID 1558830
Fixes: 24bd283bccb33 ("ppc/pnv: Implement ADU access to LPC space")
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
hw/ppc/pnv_adu.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/ppc/pnv_adu.c b/hw/ppc/pnv_adu.c
index 81b7d6e526..f636dedf79 100644
--- a/hw/ppc/pnv_adu.c
+++ b/hw/ppc/pnv_adu.c
@@ -116,6 +116,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr, uint64_t val,
uint32_t lpc_size = lpc_cmd_size(adu);
uint64_t data = 0;
+ if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
+ "size:%" PRId32 "\n", lpc_size);
+ break;
+ }
+
pnv_lpc_opb_read(adu->lpc, lpc_addr, (void *)&data, lpc_size);
/*
@@ -135,6 +141,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr, uint64_t val,
uint32_t lpc_size = lpc_cmd_size(adu);
uint64_t data;
+ if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
+ "size:%" PRId32 "\n", lpc_size);
+ break;
+ }
+
data = cpu_to_be64(val) >> ((lpc_addr & 7) * 8); /* See above */
pnv_lpc_opb_write(adu->lpc, lpc_addr, (void *)&data, lpc_size);
}
--
2.45.2
next prev parent reply other threads:[~2024-11-04 0:22 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 0:17 [PULL 00/67] ppc-for-9.2-1 queue Nicholas Piggin
2024-11-04 0:17 ` [PULL 01/67] target/ppc: Set ctx->opcode for decode_insn32() Nicholas Piggin
2024-11-04 0:17 ` [PULL 02/67] target/ppc: Make divd[u] handler method decodetree compatible Nicholas Piggin
2024-11-05 15:33 ` Michael Tokarev
2024-11-05 18:01 ` Ilya Leoshkevich
2024-11-05 18:45 ` Michael Tokarev
2024-11-04 0:17 ` [PULL 03/67] ppc/pnv: Fix LPC serirq routing calculation Nicholas Piggin
2024-11-04 0:17 ` [PULL 04/67] ppc/pnv: Fix LPC POWER8 register sanity check Nicholas Piggin
2024-11-04 0:17 ` [PULL 05/67] target/ppc: Fix mtDPDES targeting SMT siblings Nicholas Piggin
2024-11-04 0:17 ` [PULL 06/67] target/ppc: PMIs are level triggered Nicholas Piggin
2024-11-04 0:17 ` [PULL 07/67] target/ppc: Fix doorbell delivery to threads in powersave Nicholas Piggin
2024-11-04 0:17 ` [PULL 08/67] target/ppc: Fix HFSCR facility checks Nicholas Piggin
2024-11-05 15:50 ` Michael Tokarev
2024-11-08 2:34 ` Nicholas Piggin
2024-11-04 0:17 ` [PULL 09/67] target/ppc: Fix VRMA to not check virtual page class key protection Nicholas Piggin
2024-11-04 0:17 ` Nicholas Piggin [this message]
2024-11-04 0:18 ` [PULL 11/67] MAINTAINERS: Cover PowerPC SPI model in PowerNV section Nicholas Piggin
2024-11-04 0:18 ` [PULL 12/67] hw/ssi/pnv_spi: Match _xfer_buffer_free() with _xfer_buffer_new() Nicholas Piggin
2024-11-04 0:18 ` [PULL 13/67] hw/ssi/pnv_spi: Return early in transfer() Nicholas Piggin
2024-11-04 0:18 ` [PULL 14/67] hw/ssi/pnv_spi: Fixes Coverity CID 1558831 Nicholas Piggin
2024-11-04 0:18 ` [PULL 15/67] tests/tcg: Replace -mpower8-vector with -mcpu=power8 Nicholas Piggin
2024-11-04 0:18 ` [PULL 16/67] hw/ppc: fix decrementer with BookE timers Nicholas Piggin
2024-11-04 0:18 ` [PULL 17/67] ppc/spapr: remove deprecated machine pseries-2.1 Nicholas Piggin
2024-11-04 0:18 ` [PULL 18/67] ppc/spapr: remove deprecated machine pseries-2.2 Nicholas Piggin
2024-11-04 0:18 ` [PULL 19/67] ppc/spapr: remove deprecated machine pseries-2.3 Nicholas Piggin
2024-11-04 0:18 ` [PULL 20/67] ppc/spapr: remove deprecated machine pseries-2.4 Nicholas Piggin
2024-11-04 0:18 ` [PULL 21/67] ppc/spapr: remove deprecated machine pseries-2.5 Nicholas Piggin
2024-11-04 0:18 ` [PULL 22/67] ppc/spapr: remove deprecated machine pseries-2.6 Nicholas Piggin
2024-11-04 0:18 ` [PULL 23/67] ppc/spapr: remove deprecated machine pseries-2.7 Nicholas Piggin
2024-11-04 0:18 ` [PULL 24/67] ppc/spapr: remove deprecated machine pseries-2.8 Nicholas Piggin
2024-11-04 0:18 ` [PULL 25/67] ppc/spapr: remove deprecated machine pseries-2.9 Nicholas Piggin
2024-11-04 0:18 ` [PULL 26/67] ppc/spapr: remove deprecated machine pseries-2.10 Nicholas Piggin
2024-11-04 0:18 ` [PULL 27/67] ppc/spapr: remove deprecated machine pseries-2.11 Nicholas Piggin
2024-11-04 0:18 ` [PULL 28/67] ppc/spapr: remove deprecated machine pseries-2.12-sxxm Nicholas Piggin
2024-11-04 0:18 ` [PULL 29/67] ppc/spapr: remove deprecated machine pseries-2.12 Nicholas Piggin
2024-11-04 0:18 ` [PULL 30/67] target/ppc: Reduce code duplication across Power9/10 init code Nicholas Piggin
2024-11-04 0:18 ` [PULL 31/67] target/ppc: Introduce 'PowerPCCPUClass::spapr_logical_pvr' Nicholas Piggin
2024-11-04 0:18 ` [PULL 32/67] target/ppc: Fix regression due to Power10 and Power11 having same PCR Nicholas Piggin
2024-11-04 0:18 ` [PULL 33/67] target/ppc: Add Power11 DD2.0 processor Nicholas Piggin
2024-11-04 0:18 ` [PULL 34/67] ppc/pseries: Add Power11 cpu type Nicholas Piggin
2024-11-04 0:18 ` [PULL 35/67] target/ppc: use locally stored msr and avoid indirect access Nicholas Piggin
2024-11-04 0:18 ` [PULL 36/67] target/ppc: optimize hreg_compute_pmu_hflags_value Nicholas Piggin
2024-11-04 0:18 ` [PULL 37/67] " Nicholas Piggin
2024-11-04 0:18 ` [PULL 38/67] target/ppc: optimize p9 exception handling routines Nicholas Piggin
2024-11-04 0:18 ` [PULL 39/67] target/ppc: optimize p8 " Nicholas Piggin
2024-11-04 0:18 ` [PULL 40/67] target/ppc: optimize p7 " Nicholas Piggin
2024-11-04 0:18 ` [PULL 41/67] target/ppc: simplify var usage in ppc_next_unmasked_interrupt Nicholas Piggin
2024-11-04 0:18 ` [PULL 42/67] target/ppc: combine multiple ail checks into one Nicholas Piggin
2024-11-04 0:18 ` [PULL 43/67] target/ppc: reduce duplicate code between init_proc_POWER{9, 10} Nicholas Piggin
2024-11-04 0:18 ` [PULL 44/67] spapr: nested: Add support for DPDES SPR in GSB for TCG L0 Nicholas Piggin
2024-11-04 0:18 ` [PULL 45/67] spapr: nested: Add Power11 capability support for Nested PAPR guests in " Nicholas Piggin
2024-11-04 0:18 ` [PULL 46/67] hw/ppc: Implement -dtb support for PowerNV Nicholas Piggin
2024-11-04 0:18 ` [PULL 47/67] ppc/xive: Fix ESB length overflow on 32-bit hosts Nicholas Piggin
2024-11-04 0:18 ` [PULL 48/67] pnv/xive: TIMA patch sets pre-req alignment and formatting changes Nicholas Piggin
2024-11-04 0:18 ` [PULL 49/67] pnv/xive2: Define OGEN field in the TIMA Nicholas Piggin
2024-11-04 0:18 ` [PULL 50/67] ppc/xive2: Support TIMA "Pull OS Context to Odd Thread Reporting Line" Nicholas Piggin
2024-11-04 0:18 ` [PULL 51/67] pnv/xive2: Support for "OS LGS Push" TIMA operation Nicholas Piggin
2024-11-04 0:18 ` [PULL 52/67] ppc/xive2: Dump more NVP state with 'info pic' Nicholas Piggin
2024-11-04 0:18 ` [PULL 53/67] ppc/xive2: Dump the VP-group and crowd tables " Nicholas Piggin
2024-11-04 0:18 ` [PULL 54/67] ppc/xive2: Allow 1-byte write of Target field in TIMA Nicholas Piggin
2024-11-04 0:18 ` [PULL 55/67] ppc/xive2: Support "Pull Thread Context to Register" operation Nicholas Piggin
2024-11-04 0:18 ` [PULL 56/67] ppc/xive2: Change context/ring specific functions to be generic Nicholas Piggin
2024-11-04 0:18 ` [PULL 57/67] ppc/xive2: Support "Pull Thread Context to Odd Thread Reporting Line" Nicholas Piggin
2024-11-04 0:18 ` [PULL 58/67] pnv/xive: Add special handling for pool targets Nicholas Piggin
2024-11-04 0:18 ` [PULL 59/67] pnv/xive: Update PIPR when updating CPPR Nicholas Piggin
2024-11-04 0:18 ` [PULL 60/67] pnv/xive2: TIMA support for 8-byte OS context push for PHYP Nicholas Piggin
2024-11-04 0:18 ` [PULL 61/67] pnv/xive2: TIMA CI ops using alternative offsets or byte lengths Nicholas Piggin
2024-11-04 0:18 ` [PULL 62/67] tests/qtest: Add XIVE tests for the powernv10 machine Nicholas Piggin
2024-11-04 0:18 ` [PULL 63/67] hw/ppc: Consolidate e500 initial mapping creation functions Nicholas Piggin
2024-11-04 0:18 ` [PULL 64/67] hw/ppc: Consolidate ppc440 " Nicholas Piggin
2024-11-04 0:18 ` [PULL 65/67] MAINTAINERS: Remove myself from the PowerNV machines Nicholas Piggin
2024-11-04 0:18 ` [PULL 66/67] MAINTAINERS: Remove myself from XIVE Nicholas Piggin
2024-11-04 0:18 ` [PULL 67/67] MAINTAINERS: Remove myself as reviewer Nicholas Piggin
2024-11-05 14:22 ` [PULL 00/67] ppc-for-9.2-1 queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241104001900.682660-11-npiggin@gmail.com \
--to=npiggin@gmail.com \
--cc=clg@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).