From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D448BC433F5 for ; Sun, 20 Mar 2022 11:43:55 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F3FA483B11; Sun, 20 Mar 2022 12:43:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="CLL/rSZQ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2475283AA6; Sun, 20 Mar 2022 12:41:57 +0100 (CET) Received: from mail-wr1-x449.google.com (mail-wr1-x449.google.com [IPv6:2a00:1450:4864:20::449]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 737D983AE6 for ; Sun, 20 Mar 2022 12:41:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3ARM3YgYKBhw2K4MDD8GG8D6.4GEM-3GGLDAKLK.56FP.56@flex--ascull.bounces.google.com Received: by mail-wr1-x449.google.com with SMTP id d17-20020adfc3d1000000b00203e2ff73a6so2438321wrg.8 for ; Sun, 20 Mar 2022 04:41:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=+itPADKXul+wSbhB7amMfcqiRP1P82oXHEXYTRZINf4=; b=CLL/rSZQU+N5gBENRdprNnlos43HfLhKLSTGE9itJeveWDk9V4Wu9oX6uoKDR7dNMA BUVXTZkAtXZzPCm1DvhGeW8lxYhYPYtxUD2AI+Pt0erth/z4s7TaPun1Q2NdJPnFa3jZ uubyTI2iyOWd883KU4KGjdn2vIl8rkLfGhOUvnoP44u1TfDeAItcrlyqgPfGKFgjS6Mh EeitXvpOD3r2W8AeMQ7bx1hyvrzPiLb36anEZyujjPRCxsilvSU2n09HYiO4G3qwoGMb Po4qNy3ydjSNaFWk8m7+uYWgHougK4cUR0EszXLGY/wIbCcdnKHD6RXIpBb2uutdNAzm QfMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=+itPADKXul+wSbhB7amMfcqiRP1P82oXHEXYTRZINf4=; b=zKy29VgwKM34RLMA4Dal+I8m1ZwHeBQGTyqaRXLh7ASL9yZ6ma2yU+vA5rZFZVGPXW A+E6brhhIF3O1Y4oynJfwLYLSJQ6WdOvrQf4Ss2DXbL2CteL9Z4zVyymJuTm+z/cPHaR ii07XftbxVQu4NDSsJ32ObMTr2LEEK7yqpfRiCL/BMaXJS43bSuS4ozWjH1UlyPuuuiC lIpc12Tzb0rI0gzNKEZ0QjAGN0I/QU27wzwWPrbjKhIwecdPiUwLK+PmMD3Px8hcWkBb s7rN3GQlXmvG8KqxOK7vIhfqurXRVLu+tJH6T3sWiGvw0gmGVtycym1ZstnmDk/htaSH GjEQ== X-Gm-Message-State: AOAM531Ces+b8l3PJd9M78iByeokkbQq0K8Cc6JmW2blLLIBjIqhuG1F d4IxoiJ5zVxzGlpu14RLnHl8gZkOEjDz4162tFkdBIpCZCRYuzow62vzjOP/+dCEvR2kFadYgo/ XIlTBGIkTYIu1iyIovl1lXZaVyd3YT5+Er1z1Erktj+cFWZClxewdlCkxpH0= X-Google-Smtp-Source: ABdhPJy4jt0hpU7/nzv9TacUMPUlQ+c407OEHCUvY5xYlg2DSdLfeNv1v9uYY6aYvaczc3Brfcwrlr1FWjA= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a05:600c:1d1e:b0:38c:a58f:3037 with SMTP id l30-20020a05600c1d1e00b0038ca58f3037mr524184wms.200.1647776513815; Sun, 20 Mar 2022 04:41:53 -0700 (PDT) Date: Sun, 20 Mar 2022 11:41:10 +0000 In-Reply-To: <20220320114118.2237795-1-ascull@google.com> Message-Id: <20220320114118.2237795-4-ascull@google.com> Mime-Version: 1.0 References: <20220320114118.2237795-1-ascull@google.com> X-Mailer: git-send-email 2.35.1.894.gb6a874cedc-goog Subject: [PATCH 03/11] virtio: pci: Bounds check notification writes From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, bmeng.cn@gmail.com, adelva@google.com, keirf@google.com, ptosi@google.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sun, 20 Mar 2022 12:43:23 +0100 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Make sure virtio notifications are written within their allocated buffer. Signed-off-by: Andrew Scull --- drivers/virtio/virtio_pci_modern.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c index bcf9f18997..60bdc53a6d 100644 --- a/drivers/virtio/virtio_pci_modern.c +++ b/drivers/virtio/virtio_pci_modern.c @@ -101,6 +101,7 @@ struct virtio_pci_priv { struct virtio_pci_common_cfg __iomem *common; void __iomem *notify_base; + u32 notify_len; void __iomem *device; u32 device_len; u32 notify_offset_multiplier; @@ -372,12 +373,16 @@ static int virtio_pci_notify(struct udevice *udev, struct virtqueue *vq) /* get offset of notification word for this vq */ off = ioread16(&priv->common->queue_notify_off); + /* Check the effective offset is in bounds */ + off *= priv->notify_offset_multiplier; + if (off > priv->notify_len - sizeof(u16)) + return -EIO; + /* * We write the queue's selector into the notification register * to signal the other end */ - iowrite16(vq->index, - priv->notify_base + off * priv->notify_offset_multiplier); + iowrite16(vq->index, priv->notify_base + off); return 0; } @@ -499,6 +504,9 @@ static int virtio_pci_probe(struct udevice *udev) return -EINVAL; } + offset = notify + offsetof(struct virtio_pci_cap, length); + dm_pci_read_config32(udev, offset, &priv->notify_len); + /* * Device capability is only mandatory for devices that have * device-specific configuration. -- 2.35.1.894.gb6a874cedc-goog