From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 5C4B8C433F5
	for <u-boot@archiver.kernel.org>; Sun, 20 Mar 2022 11:44:06 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 4C29C83B02;
	Sun, 20 Mar 2022 12:43:35 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="nwvDIFWb";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 7691D83AA6; Sun, 20 Mar 2022 12:41:59 +0100 (CET)
Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com
 [IPv6:2a00:1450:4864:20::34a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 907E883AF7
 for <u-boot@lists.denx.de>; Sun, 20 Mar 2022 12:41:56 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: phobos.denx.de; spf=pass
 smtp.mailfrom=3BBM3YgYKBh85N7PGGBJJBG9.7JHP-6JJOGDNON.89IS.89@flex--ascull.bounces.google.com
Received: by mail-wm1-x34a.google.com with SMTP id
 q185-20020a1c43c2000000b0038c9d85915bso399796wma.0
 for <u-boot@lists.denx.de>; Sun, 20 Mar 2022 04:41:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=rnBpOaDHozhZXRNwAZUE7+B3re1GLHT8y+ojqvAPOMI=;
 b=nwvDIFWbArSGgo8Xoj6MLyokgduJxSsFxIOoZ30bHILbFUzkfOvkTs8UWVUUkHEvY/
 +6HsHBP8F6XGqz+1ny2W7009qspqwomL/DBHBraBPaD3YxyepW9W9I6vrf2YE/gjkscs
 pVUqzm3bqwMGlSRmivirNMfCTKEBAsCzYNBz7jSKOgj0uO1B/j010Zsw6BVdH0mCmFUQ
 zTxSzLjwoIzy7Gbm/pJ8UoE1C04PJLHaAVT3Jhq7BqMmF3xRoqItQDama67K0XCZ87i7
 AyqQQ5p42uT7sRPO5OC7tEwLZW9rPEZQMs2ZpCq+PtgPMl/N/OIKW+cG2I2vW9sQIKbq
 qLdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=rnBpOaDHozhZXRNwAZUE7+B3re1GLHT8y+ojqvAPOMI=;
 b=mGYvfFdPsz31gZlt7ovvP/KlpaJn9deAwyiuadxbP8aLKM1MjeoChO1hz30m377oW2
 u2GhmdsoX/gOs7BszgXHDMMZrryKi150kRod4sFNzUXQZCEZys0YXR0LUyzNuP94WTB3
 yiluMweqaLMiP45D1mEZZTC9xrTdwKfX0iUHTILjFqmKqGwz/Qf3IGV+/HtKWxC973+F
 QswVWk0dvO6Q6RtXu7W86G8N+MQMqUVS+SfxWyTua87FfUFezH+/wFJwPFUNUkoS+QZi
 HdonGP88aqf9vU99oqPLoIl4w9TgTcifELKoBWZM2Yml+L4+8DINoCrcgOyP2PIKu+OQ
 Yx4Q==
X-Gm-Message-State: AOAM5332/ItffKyo58stWk5v8CMpzt1o4+Qi0+01x09cXspLIdjct2YW
 LX/b0W6HD/u8xpSIoDqRERobWLWZAHThcGVX+7hVqN5UkB9gnPTAq3hWSTik1hj3aBJUWIvSG5+
 YAxunj1fUk24Hx+FJF2Uoenn1Xy16QZPklJ6DzfOdLaSqIvCLcHMl5DeEXTw=
X-Google-Smtp-Source: ABdhPJzWui+5NNg7qdL2nCQVGy3k9whE0Qs36zhzgMMa1CnmtJVvfeb2ydcoFVkYASW9G45z3/+ZlzhKLUQ=
X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510])
 (user=ascull job=sendgmr) by 2002:a05:6000:1ac7:b0:1f1:f9ee:7c57 with SMTP id
 i7-20020a0560001ac700b001f1f9ee7c57mr14223789wry.52.1647776516137; Sun, 20
 Mar 2022 04:41:56 -0700 (PDT)
Date: Sun, 20 Mar 2022 11:41:11 +0000
In-Reply-To: <20220320114118.2237795-1-ascull@google.com>
Message-Id: <20220320114118.2237795-5-ascull@google.com>
Mime-Version: 1.0
References: <20220320114118.2237795-1-ascull@google.com>
X-Mailer: git-send-email 2.35.1.894.gb6a874cedc-goog
Subject: [PATCH 04/11] virtio: pci: Check virtio common config size
From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, bmeng.cn@gmail.com, adelva@google.com, keirf@google.com, 
 ptosi@google.com, Andrew Scull <ascull@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Sun, 20 Mar 2022 12:43:23 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Check that the common config is at least as large as the struct it is
expected to contain. Only then is it safe to cast the pointer and be
safe from out-of-bounds accesses.

Signed-off-by: Andrew Scull <ascull@google.com>
---
 drivers/virtio/virtio_pci_modern.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c
index 60bdc53a6d..3403ff5cca 100644
--- a/drivers/virtio/virtio_pci_modern.c
+++ b/drivers/virtio/virtio_pci_modern.c
@@ -475,6 +475,7 @@ static int virtio_pci_probe(struct udevice *udev)
 	u16 subvendor;
 	u8 revision;
 	int common, notify, device;
+	u32 common_length;
 	int offset;
 
 	/* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */
@@ -496,6 +497,13 @@ static int virtio_pci_probe(struct udevice *udev)
 		return -ENODEV;
 	}
 
+	offset = common + offsetof(struct virtio_pci_cap, length);
+	dm_pci_read_config32(udev, offset, &common_length);
+	if (common_length < sizeof(struct virtio_pci_common_cfg)) {
+		printf("(%s): virtio common config too small\n", udev->name);
+		return -EINVAL;
+	}
+
 	/* If common is there, notify should be too */
 	notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG);
 	if (!notify) {
-- 
2.35.1.894.gb6a874cedc-goog