From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EC42DC433F5 for ; Thu, 21 Apr 2022 16:12:21 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2C15D83E91; Thu, 21 Apr 2022 18:11:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="GjGw8OLp"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AD22983E8A; Thu, 21 Apr 2022 18:11:33 +0200 (CEST) Received: from mail-wr1-x449.google.com (mail-wr1-x449.google.com [IPv6:2a00:1450:4864:20::449]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DF95D83E5F for ; Thu, 21 Apr 2022 18:11:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3MoJhYgYKBtU1J3LCC7FF7C5.3FDL-2FFKC9JKJ.45EO.45@flex--ascull.bounces.google.com Received: by mail-wr1-x449.google.com with SMTP id l7-20020adfbd87000000b0020ac0a4d23dso600441wrh.17 for ; Thu, 21 Apr 2022 09:11:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=nKEUnXIgFKBSAJadqXaEQi4rCSY27PGTOI6h6HMDp3o=; b=GjGw8OLpJo5t2OLcR1iG7qF0gH/ouOU64945i99y/QF4j352C4CQoMalUbP/vuDp0B Zu7+LzoLT/lsIpOfkSWAKK09u0UTavhdiVZX4z6asdppcUzgKE9F0o96sXBAb1XBYqJs 734ZOdWrMQBwD+vJIheD2cbAqgOimP2zbufE6Rq9E1e97RQaEXgrOB4vk3gXEgwpbhAm gh/vuZgTj6CARzCmmS5V26kjzDCPRHKAc0sNnNZ4ZRVOjWr7Ub1Eem6zeJbRA4je9P/6 Y5P6EwBu42aX9hEoaeEnObtLbQUn94nxdIq2EVvoMyCrUGDpjMM/xe33Kgsk9FMsGuy0 08hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=nKEUnXIgFKBSAJadqXaEQi4rCSY27PGTOI6h6HMDp3o=; b=ggxoWCkbhRvt7blovEIz2mFYv3f5QKXsDdeGbwz3WBKthGdgVwZI6ObwkeTup9H3xi MkwwJuyIVDahXVy7ku348qbcgKdXAWO1O5kmfowGy3iGZdGL7OJWIZ0SzEgIHFmgRMrw s7eOEugtVSYFY8Xpz8SG/xp6+X72dQgEo2SQ4n2Ct6DVy4xgql5hcuk9NI3qQWJPaW6W sz7rIKJIC99LxHCpYzdQmq/fARsjRgZ81Z+APvyzileSN2g6gggLL5Z26HpocGsKF193 2ZCqiWOSkS5OrMcLu6vNGEfOzahonaqHDO5aEoc/dlci0lYRhRyfNwnE7Tb9AihMTFfn M0yQ== X-Gm-Message-State: AOAM532ixSsOX+kxkNH5PHIf3aIzMMCY8DTiiQTuRgBe/Z28wM36eXlP BUX7ya+7xHLObNnvfphYp8vylO8acpMPp7TZkR7meRkXrnRzkxcAVvezq2bOA1eJ8FotEXAEplR 0xuk1WQWgAw6HpbyTfKqcUFc1Fcki983bGcq+JVMszBEK+hTrMb/KWpwh+vs= X-Google-Smtp-Source: ABdhPJwnLYQaBv+47Rj2PbhlONNMG2nBfdIV/J6JWBIG2OjMIlsG30eHh2G9fGaCN+p0H02a2rELX6WxYjg= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a5d:5889:0:b0:20a:9707:39c with SMTP id n9-20020a5d5889000000b0020a9707039cmr391403wrf.54.1650557490452; Thu, 21 Apr 2022 09:11:30 -0700 (PDT) Date: Thu, 21 Apr 2022 16:11:03 +0000 In-Reply-To: <20220421161116.1202023-1-ascull@google.com> Message-Id: <20220421161116.1202023-6-ascull@google.com> Mime-Version: 1.0 References: <20220421161116.1202023-1-ascull@google.com> X-Mailer: git-send-email 2.36.0.rc2.479.g8af0fa9b8e-goog Subject: [PATCH v3 05/18] virtio: pci: Check virtio common config size From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, bmeng.cn@gmail.com, trini@konsulko.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Check that the common config is at least as large as the struct it is expected to contain. Only then is it safe to cast the pointer and be safe from out-of-bounds accesses. Signed-off-by: Andrew Scull Reviewed-by: Bin Meng --- drivers/virtio/virtio_pci_modern.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c index 7dd58aa0f4..2c1b0ebfce 100644 --- a/drivers/virtio/virtio_pci_modern.c +++ b/drivers/virtio/virtio_pci_modern.c @@ -480,6 +480,7 @@ static int virtio_pci_probe(struct udevice *udev) u16 subvendor; u8 revision; int common, notify, device; + u32 common_length; int offset; /* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */ @@ -501,6 +502,13 @@ static int virtio_pci_probe(struct udevice *udev) return -ENODEV; } + offset = common + offsetof(struct virtio_pci_cap, length); + dm_pci_read_config32(udev, offset, &common_length); + if (common_length < sizeof(struct virtio_pci_common_cfg)) { + printf("(%s): virtio common config too small\n", udev->name); + return -EINVAL; + } + /* If common is there, notify should be too */ notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG); if (!notify) { -- 2.36.0.rc2.479.g8af0fa9b8e-goog