From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 14DE6C433EF for ; Thu, 21 Apr 2022 16:12:34 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 13D1783EA6; Thu, 21 Apr 2022 18:11:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="EsOa2SCL"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 04F7983E66; Thu, 21 Apr 2022 18:11:37 +0200 (CEST) Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C740683E76 for ; Thu, 21 Apr 2022 18:11:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3NIJhYgYKBtc3L5NEE9HH9E7.5HFN-4HHMEBLML.67GQ.67@flex--ascull.bounces.google.com Received: by mail-wm1-x34a.google.com with SMTP id n4-20020a1ca404000000b00392b49c7ae3so1100255wme.3 for ; Thu, 21 Apr 2022 09:11:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=0peQhmczn7nLqLICssiSFOOeOPeTvTfllssVgj/rWVM=; b=EsOa2SCLLx1jHhpyq0XkUJEEozqYyjzMOJ1ZN7atO5DWWY+DAqohRSppHyK0Q2l+vs pKxRBzJ3tfMKYAXKzhskL/oBuxpLmCxwd+2XcfPcxyiNCg9v0KZXTz0xhHNKS4SGBRK5 iWCqXkHeHgRrlxfrLa86CAVc5ggTpQ0y3iCN7G4SwWUUpENedvqqotOyf7GyY/araLkx mV2IVqXRq9iopZFyO222sgT5e5i5yhuAGib+uuY2aSV8QEjOaWeZJu9H5hoTDAbrAjhY 1cDri2QJn8iTvg3s520YpFx+d2AFpa1DLDlRAZ6OspXoam82eHUiqH3nNmUAcEf8g/cL y+bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=0peQhmczn7nLqLICssiSFOOeOPeTvTfllssVgj/rWVM=; b=Rb3tlyOHM6O0mO6LpNYFAubavdQq3jtEt31vgWhNqM5HFpWiT9/ocNKR1T3sNE7VbS 5xuiZRkPIOuCDCN8+p3A93HeRoP4GNggUNS+28Rm+zAk7WAMo0iDjv8isYqdbB5yefNC fjEyszvd7OS7eafERs+uu6vPZUPNqMeKByxHgEXyxly7dVkSzN5jZnCS5VCIEGJ5MzXf wqmmhhPsd6+ldKWWUSY/rdWngeKShLOTmXQPZRpno6rkk9tWsIo/1mrgIrHE7GAh+vez ZI66qcjDDyJvr9xsJ0f1gRgZhxON8C/iIVYM3/CgXPXcX2gGoz56GekXBTot66ASvreI d4+g== X-Gm-Message-State: AOAM531V9WRazlpY7qsWGUtYnrUF0PsmAGoA2X3gb1rLK8AWgCoQP1EX YL4m8OiKESaiGebol8pp2gOoQ19QmKc+xiRh36K6Yy3AWN0WAM97wgsQeI/Akp+Bmat8eSQY3gX aFZ7HyKrYMC5l4djQbrMxcS64hmlZDj5FxXfBG2L7szlIGYpBDb+OYxopBDU= X-Google-Smtp-Source: ABdhPJzjKG9Kuu5fDijcWoejjU2DU93LAKVo2IRQH0IdtLVL3TqGam9wL7cmP7Jy3KhAfsRr0GSSLqdJK7A= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a1c:3b87:0:b0:38e:ae26:87c3 with SMTP id i129-20020a1c3b87000000b0038eae2687c3mr83175wma.117.1650557492377; Thu, 21 Apr 2022 09:11:32 -0700 (PDT) Date: Thu, 21 Apr 2022 16:11:04 +0000 In-Reply-To: <20220421161116.1202023-1-ascull@google.com> Message-Id: <20220421161116.1202023-7-ascull@google.com> Mime-Version: 1.0 References: <20220421161116.1202023-1-ascull@google.com> X-Mailer: git-send-email 2.36.0.rc2.479.g8af0fa9b8e-goog Subject: [PATCH v3 06/18] virtio: pci: Check virtio capability is in bounds From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, bmeng.cn@gmail.com, trini@konsulko.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Ensure the virtio PCI capabilities are contained within the bounds of the device's configuration space. The expected size of the capability is passed when searching for the capability to enforce this check. Signed-off-by: Andrew Scull Reviewed-by: Bin Meng --- drivers/virtio/virtio_pci_modern.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/virtio/virtio_pci_modern.c b/drivers/virtio/virtio_pci_modern.c index 2c1b0ebfce..6fe5e76572 100644 --- a/drivers/virtio/virtio_pci_modern.c +++ b/drivers/virtio/virtio_pci_modern.c @@ -397,18 +397,27 @@ static int virtio_pci_notify(struct udevice *udev, struct virtqueue *vq) * * @udev: the transport device * @cfg_type: the VIRTIO_PCI_CAP_* value we seek + * @cap_size: expected size of the capability * * Return: offset of the configuration structure */ -static int virtio_pci_find_capability(struct udevice *udev, u8 cfg_type) +static int virtio_pci_find_capability(struct udevice *udev, u8 cfg_type, + size_t cap_size) { int pos; int offset; u8 type, bar; + assert(cap_size >= sizeof(struct virtio_pci_cap)); + assert(cap_size <= PCI_CFG_SPACE_SIZE); + for (pos = dm_pci_find_capability(udev, PCI_CAP_ID_VNDR); pos > 0; pos = dm_pci_find_next_capability(udev, pos, PCI_CAP_ID_VNDR)) { + /* Ensure the capability is within bounds */ + if (PCI_CFG_SPACE_SIZE - cap_size < pos) + return 0; + offset = pos + offsetof(struct virtio_pci_cap, cfg_type); dm_pci_read_config8(udev, offset, &type); offset = pos + offsetof(struct virtio_pci_cap, bar); @@ -496,7 +505,8 @@ static int virtio_pci_probe(struct udevice *udev) uc_priv->vendor = subvendor; /* Check for a common config: if not, use legacy mode (bar 0) */ - common = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_COMMON_CFG); + common = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_COMMON_CFG, + sizeof(struct virtio_pci_cap)); if (!common) { printf("(%s): leaving for legacy driver\n", udev->name); return -ENODEV; @@ -510,7 +520,8 @@ static int virtio_pci_probe(struct udevice *udev) } /* If common is there, notify should be too */ - notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG); + notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG, + sizeof(struct virtio_pci_notify_cap)); if (!notify) { printf("(%s): missing capabilities %i/%i\n", udev->name, common, notify); @@ -524,7 +535,8 @@ static int virtio_pci_probe(struct udevice *udev) * Device capability is only mandatory for devices that have * device-specific configuration. */ - device = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_DEVICE_CFG); + device = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_DEVICE_CFG, + sizeof(struct virtio_pci_cap)); if (device) { offset = device + offsetof(struct virtio_pci_cap, length); dm_pci_read_config32(udev, offset, &priv->device_len); -- 2.36.0.rc2.479.g8af0fa9b8e-goog