From: "Cédric Le Goater" <clg@redhat.com>
To: Nicholas Piggin <npiggin@gmail.com>, qemu-ppc@nongnu.org
Cc: qemu-devel@nongnu.org
Subject: Re: [PATCH] ppc/pnv: ADU fix possible buffer overrun with invalid size
Date: Mon, 26 Aug 2024 12:01:02 +0200 [thread overview]
Message-ID: <4afd07f6-f59e-4f3e-bea1-85ed7ab5a0ea@redhat.com> (raw)
In-Reply-To: <20240806151322.284431-1-npiggin@gmail.com>
On 8/6/24 17:13, Nicholas Piggin wrote:
> The ADU LPC transfer-size field is 7 bits, but the supported sizes for
> LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could
> overrun if firmware set an invalid size field, so add checks to reject
> them with a message.
>
> Reported-by: Cédric Le Goater <clg@redhat.com>
> Resolves: Coverity CID 1558830
> Fixes: 24bd283bccb33 ("ppc/pnv: Implement ADU access to LPC space")
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Thanks,
C.
> ---
> hw/ppc/pnv_adu.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/hw/ppc/pnv_adu.c b/hw/ppc/pnv_adu.c
> index 81b7d6e526..f636dedf79 100644
> --- a/hw/ppc/pnv_adu.c
> +++ b/hw/ppc/pnv_adu.c
> @@ -116,6 +116,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr, uint64_t val,
> uint32_t lpc_size = lpc_cmd_size(adu);
> uint64_t data = 0;
>
> + if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
> + qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
> + "size:%" PRId32 "\n", lpc_size);
> + break;
> + }
> +
> pnv_lpc_opb_read(adu->lpc, lpc_addr, (void *)&data, lpc_size);
>
> /*
> @@ -135,6 +141,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr, uint64_t val,
> uint32_t lpc_size = lpc_cmd_size(adu);
> uint64_t data;
>
> + if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
> + qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
> + "size:%" PRId32 "\n", lpc_size);
> + break;
> + }
> +
> data = cpu_to_be64(val) >> ((lpc_addr & 7) * 8); /* See above */
> pnv_lpc_opb_write(adu->lpc, lpc_addr, (void *)&data, lpc_size);
> }
prev parent reply other threads:[~2024-08-26 10:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-06 15:13 [PATCH] ppc/pnv: ADU fix possible buffer overrun with invalid size Nicholas Piggin
2024-08-26 10:01 ` Cédric Le Goater [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4afd07f6-f59e-4f3e-bea1-85ed7ab5a0ea@redhat.com \
--to=clg@redhat.com \
--cc=npiggin@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).