From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 36DEDC433FE
	for <u-boot@archiver.kernel.org>; Mon, 16 May 2022 10:44:25 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 6FB22841A5;
	Mon, 16 May 2022 12:43:48 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="jrKeROFf";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 199E28425A; Mon, 16 May 2022 12:42:40 +0200 (CEST)
Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com
 [IPv6:2a00:1450:4864:20::34a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 614E484258
 for <u-boot@lists.denx.de>; Mon, 16 May 2022 12:42:16 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: phobos.denx.de; spf=pass
 smtp.mailfrom=3hyqCYgYKBv4gyi0rrmuumrk.ius0-huuzroyzy.jkt3.jk@flex--ascull.bounces.google.com
Received: by mail-wm1-x34a.google.com with SMTP id
 n26-20020a1c721a000000b003941ea1ced7so5444346wmc.7
 for <u-boot@lists.denx.de>; Mon, 16 May 2022 03:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=d68FBRezfBojWwTDtkf7TM/MHDb0/Xhv3IL6TEeixDE=;
 b=jrKeROFfbI4G4sWKEDDsaN8b496oDrQSDxtmob5fC9w3sh7c19qTRAG0DitCJqN7SW
 d3HaK77evqSbDRbkUFC+0LCsBR2XzHWYulk5Ryyw+weTMF4TrOE9m2NuSvTcnEQUG6kS
 CmHR85CEZaE3T3i0P2eG+VrU3K5w8V8oXPcCoWdafC5WjcGw1Uq1EQL5IKJ7q3vlaQT3
 cITLFovBbzttIefuGy7L3EcxkGpZ7lPZkfFuzQ8NHsVBXMN+BZ8t8c7b/WHSpKicBKsD
 UxZ0TyBk9XRIk3WqM3LkQo8LvuoBfIfVD08jdubnivE0qgvHAGPDv3hBbKwKev6TSsjS
 Gheg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=d68FBRezfBojWwTDtkf7TM/MHDb0/Xhv3IL6TEeixDE=;
 b=So6NGkNHmLuobrwyYrlaGoTkQDkjIR1vYsznsCPMPKCqaCT+ltTm2qQLdyAnHkno4t
 d03MFUlJwEm9Vl+GZhkXnzkV5JrSIsP3/X3AI7xndIVwMNJKLxwVWs787A8fB7yalGjY
 FcDdMAg3F1g4kA3UpwQeEH74bbYZ2/1JQigoPDA5mqtrtBSzUXwK/9WaL2fx2UEy7hD7
 1hEia1uDsU3dRbB1EZcA6i0f0LDOzUPHb3SbfswA6FVaYHa9KjGqpriLWB8vD+PUONC8
 j3NRD4pwaN8pk8IPyIvMqpmxo36aywgPSULlXI9hZ0dZ8J4Fs6yhNl3ecxgp0SrLbqpl
 KgrQ==
X-Gm-Message-State: AOAM532kj1vlKHQ6Q9IGmjBHatfCTTz+V9LfKQcIvHLHyLgRTn6NhzC1
 3+UFP9A+a3Nvc6Bu41wuU1nyyb3VGhvVWSoAlZWKyoG4GM3US7M5B/0Dom0INdhDXHjKvNzRnds
 NOd5Fs+7u0UEZK5TLMdEvdzkX8KHvmZOkSVMjBy1Aa+vfGfDminnJ/RxDlzA=
X-Google-Smtp-Source: ABdhPJzfpXBJnr41dNmmyUnVN2Ee1XZllKeaYWwhYfRSLRiPgVgOcCbiTv8DSq/mKdzg99puyuT4Fe6lQxY=
X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510])
 (user=ascull job=sendgmr) by 2002:a05:600c:a45:b0:346:5e67:cd54 with SMTP id
 c5-20020a05600c0a4500b003465e67cd54mr27067507wmq.127.1652697735312; Mon, 16
 May 2022 03:42:15 -0700 (PDT)
Date: Mon, 16 May 2022 10:41:39 +0000
In-Reply-To: <20220516104140.1047229-1-ascull@google.com>
Message-Id: <20220516104140.1047229-12-ascull@google.com>
Mime-Version: 1.0
References: <20220516104140.1047229-1-ascull@google.com>
X-Mailer: git-send-email 2.36.0.550.gb090851708-goog
Subject: [PATCH v3 11/12] virtio: rng: Check length before copying
From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, trini@konsulko.com, bmeng.cn@gmail.com, 
 Andrew Scull <ascull@google.com>, Sughosh Ganu <sughosh.ganu@linaro.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 drivers/virtio/virtio_rng.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c
index 9314c0a03e..b85545c2ee 100644
--- a/drivers/virtio/virtio_rng.c
+++ b/drivers/virtio/virtio_rng.c
@@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len)
 		while (!virtqueue_get_buf(priv->rng_vq, &rsize))
 			;
 
+		if (rsize > sg.length)
+			return -EIO;
+
 		memcpy(ptr, buf, rsize);
 		len -= rsize;
 		ptr += rsize;
-- 
2.36.0.550.gb090851708-goog