From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, bmeng.cn@gmail.com, adelva@google.com,
keirf@google.com, ptosi@google.com,
Andrew Scull <ascull@google.com>
Subject: [PATCH 04/11] virtio: pci: Check virtio common config size
Date: Sun, 20 Mar 2022 11:41:11 +0000 [thread overview]
Message-ID: <20220320114118.2237795-5-ascull@google.com> (raw)
In-Reply-To: <20220320114118.2237795-1-ascull@google.com>
Check that the common config is at least as large as the struct it is
expected to contain. Only then is it safe to cast the pointer and be
safe from out-of-bounds accesses.
Signed-off-by: Andrew Scull <ascull@google.com>
---
drivers/virtio/virtio_pci_modern.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c
index 60bdc53a6d..3403ff5cca 100644
--- a/drivers/virtio/virtio_pci_modern.c
+++ b/drivers/virtio/virtio_pci_modern.c
@@ -475,6 +475,7 @@ static int virtio_pci_probe(struct udevice *udev)
u16 subvendor;
u8 revision;
int common, notify, device;
+ u32 common_length;
int offset;
/* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */
@@ -496,6 +497,13 @@ static int virtio_pci_probe(struct udevice *udev)
return -ENODEV;
}
+ offset = common + offsetof(struct virtio_pci_cap, length);
+ dm_pci_read_config32(udev, offset, &common_length);
+ if (common_length < sizeof(struct virtio_pci_common_cfg)) {
+ printf("(%s): virtio common config too small\n", udev->name);
+ return -EINVAL;
+ }
+
/* If common is there, notify should be too */
notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG);
if (!notify) {
--
2.35.1.894.gb6a874cedc-goog
next prev parent reply other threads:[~2022-03-20 11:44 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-20 11:41 [PATCH 00/11] virtio: pci: Add and fix consistency checks Andrew Scull
2022-03-20 11:41 ` [PATCH 01/11] virtio: pci: Fix discovery of device config length Andrew Scull
2022-03-24 9:32 ` Bin Meng
2022-03-20 11:41 ` [PATCH 02/11] virtio: pci: Bounds check device config access Andrew Scull
2022-03-24 14:07 ` Bin Meng
2022-03-20 11:41 ` [PATCH 03/11] virtio: pci: Bounds check notification writes Andrew Scull
2022-03-24 14:18 ` Bin Meng
2022-03-24 16:24 ` Andrew Scull
2022-03-25 1:41 ` Bin Meng
2022-03-20 11:41 ` Andrew Scull [this message]
2022-03-24 14:22 ` [PATCH 04/11] virtio: pci: Check virtio common config size Bin Meng
2022-03-20 11:41 ` [PATCH 05/11] virtio: pci: Check virtio capability is in bounds Andrew Scull
2022-03-24 15:24 ` Bin Meng
2022-03-24 16:27 ` Andrew Scull
2022-03-25 1:27 ` Bin Meng
2022-03-20 11:41 ` [PATCH 06/11] virtio: pci: Read entire capability into memory Andrew Scull
2022-03-25 4:31 ` Bin Meng
2022-03-25 7:03 ` Andrew Scull
2022-03-25 7:51 ` Bin Meng
2022-03-25 9:18 ` Andrew Scull
2022-03-25 10:25 ` Bin Meng
2022-03-28 14:28 ` Andrew Scull
2022-03-20 11:41 ` [PATCH 07/11] virtio: pci: Check virtio configs are mapped Andrew Scull
2022-03-25 4:38 ` Bin Meng
2022-03-25 7:07 ` Andrew Scull
2022-03-25 7:19 ` Bin Meng
2022-03-20 11:41 ` [PATCH 08/11] pci: Check region ranges are addressable Andrew Scull
2022-03-25 7:14 ` Bin Meng
2022-03-20 11:41 ` [PATCH 09/11] pci: Add function to validate PCI address range Andrew Scull
2022-03-25 7:14 ` Bin Meng
2022-03-25 10:26 ` Andrew Scull
2022-03-20 11:41 ` [PATCH 10/11] virtio: pci: Check mapped range is in a PCI region Andrew Scull
2022-03-25 7:14 ` Bin Meng
2022-03-20 11:41 ` [PATCH 11/11] virtio: pci: Allow exclusion of legacy driver Andrew Scull
2022-03-25 7:14 ` Bin Meng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220320114118.2237795-5-ascull@google.com \
--to=ascull@google.com \
--cc=adelva@google.com \
--cc=bmeng.cn@gmail.com \
--cc=keirf@google.com \
--cc=ptosi@google.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox