[PATCH v3 05/18] virtio: pci: Check virtio common config size

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, bmeng.cn@gmail.com, trini@konsulko.com,
	 Andrew Scull <ascull@google.com>
Subject: [PATCH v3 05/18] virtio: pci: Check virtio common config size
Date: Thu, 21 Apr 2022 16:11:03 +0000	[thread overview]
Message-ID: <20220421161116.1202023-6-ascull@google.com> (raw)
In-Reply-To: <20220421161116.1202023-1-ascull@google.com>

Check that the common config is at least as large as the struct it is
expected to contain. Only then is it safe to cast the pointer and be
safe from out-of-bounds accesses.

Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
---
 drivers/virtio/virtio_pci_modern.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c
index 7dd58aa0f4..2c1b0ebfce 100644
--- a/drivers/virtio/virtio_pci_modern.c
+++ b/drivers/virtio/virtio_pci_modern.c
@@ -480,6 +480,7 @@ static int virtio_pci_probe(struct udevice *udev)
 	u16 subvendor;
 	u8 revision;
 	int common, notify, device;
+	u32 common_length;
 	int offset;
 
 	/* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */
@@ -501,6 +502,13 @@ static int virtio_pci_probe(struct udevice *udev)
 		return -ENODEV;
 	}
 
+	offset = common + offsetof(struct virtio_pci_cap, length);
+	dm_pci_read_config32(udev, offset, &common_length);
+	if (common_length < sizeof(struct virtio_pci_common_cfg)) {
+		printf("(%s): virtio common config too small\n", udev->name);
+		return -EINVAL;
+	}
+
 	/* If common is there, notify should be too */
 	notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG);
 	if (!notify) {
-- 
2.36.0.rc2.479.g8af0fa9b8e-goog

next prev parent reply	other threads:[~2022-04-21 16:12 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-21 16:10 [PATCH v3 00/18] virtio: pci: Add and fix consistency checks Andrew Scull
2022-04-21 16:10 ` [PATCH v3 01/18] virtio: pci: Allow exclusion of legacy driver Andrew Scull
2022-05-03 23:10   ` Tom Rini
2022-04-21 16:11 ` [PATCH v3 02/18] virtio: pci: Fix discovery of device config length Andrew Scull
2022-04-21 16:11 ` [PATCH v3 03/18] virtio: pci: Bounds check device config access Andrew Scull
2022-04-21 16:11 ` [PATCH v3 04/18] virtio: pci: Bounds check notification writes Andrew Scull
2022-04-21 16:11 ` Andrew Scull [this message]
2022-04-21 16:11 ` [PATCH v3 06/18] virtio: pci: Check virtio capability is in bounds Andrew Scull
2022-04-21 16:11 ` [PATCH v3 07/18] virtio: pci: Read entire capability into memory Andrew Scull
2022-04-21 16:11 ` [PATCH v3 08/18] pci: Fix use of flags in dm_pci_map_bar() Andrew Scull
2022-04-22  6:37   ` Bin Meng
2022-04-21 16:11 ` [PATCH v3 09/18] pci: Check region ranges are addressable Andrew Scull
2022-04-21 16:11 ` [PATCH v3 10/18] pci: Range check address conversions Andrew Scull
2022-04-21 16:11 ` [PATCH v3 11/18] test: pci: Test PCI address conversion functions Andrew Scull
2022-04-22  6:50   ` Bin Meng
2022-04-21 16:11 ` [PATCH v3 12/18] pci: Map bars with offset and length Andrew Scull
2022-04-22  6:52   ` Bin Meng
2022-04-21 16:11 ` [PATCH v3 13/18] pci: Match region flags using a mask Andrew Scull
2022-04-21 16:11 ` [PATCH v3 14/18] pci: Update dm_pci_bus_to_virt() parameters Andrew Scull
2022-04-22  7:38   ` Bin Meng
2022-04-21 16:11 ` [PATCH v3 15/18] pci: Add mask parameter to dm_pci_map_bar() Andrew Scull
2022-04-22  7:39   ` Bin Meng
2022-04-21 16:11 ` [PATCH v3 16/18] virtio: pci: Check virtio configs are mapped Andrew Scull
2022-04-21 16:11 ` [PATCH v3 17/18] virtio: pci: Make use of dm_pci_map_bar() Andrew Scull
2022-04-21 16:11 ` [PATCH v3 18/18] pci: Add config for Enhanced Allocation Andrew Scull

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7dd58aa0f dfblob:2c1b0ebfc )
 OR (
bs:"[PATCH v3 05/18] virtio: pci: Check virtio common config size" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220421161116.1202023-6-ascull@google.com \
    --to=ascull@google.com \
    --cc=bmeng.cn@gmail.com \
    --cc=sjg@chromium.org \
    --cc=trini@konsulko.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox