From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 104F2C43334 for ; Sun, 3 Jul 2022 10:48:35 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 549F48443D; Sun, 3 Jul 2022 12:48:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="mtAdBcKu"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AB12C8428F; Sun, 3 Jul 2022 12:48:31 +0200 (CEST) Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2DB0F8443D for ; Sun, 3 Jul 2022 12:48:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=pali@kernel.org Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A445EB80092; Sun, 3 Jul 2022 10:48:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E1D8C341C6; Sun, 3 Jul 2022 10:48:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1656845306; bh=xgnWDfNZ5AsgNRYeNtbz9/Gzoy/BHWpJuPuhUJ22OWw=; h=From:To:Cc:Subject:Date:From; b=mtAdBcKu+SSCew43UKf6CfqnukpmlmTBHIG83sBU1w03m7xgYLVmqwtO/7UVbE2/G IRDTcllYUvxcpskQwELUreJmu8p/wCun3Q9N5J5X+dGHPLhm0UUDMpsScPlX4n9WyW yLBV0na+rf0+6dLaDKjo44jAZGvMr7ki6m9AUGFLDls0/964s4uXcHd098qAVxQK6e EEHHLCXDrxghYUze6wTmIqtc2vfGcikt1xZMiEMDrulvjA3GO7JBK8thssJoA1z/Yn D3hzWstB7ywI/OFzJJuLj2W41zSK9QbNdFyWm1OPY9xv6wqc3/EUJ+bEXc2Snthf4l zS/cveMxfdgbA== Received: by pali.im (Postfix) id C054411B0; Sun, 3 Jul 2022 12:48:23 +0200 (CEST) From: =?UTF-8?q?Pali=20Roh=C3=A1r?= To: Stefan Roese , Bin Meng , Simon Glass Cc: u-boot@lists.denx.de Subject: [PATCH] pci: Add checks to prevent config space overflow Date: Sun, 3 Jul 2022 12:48:06 +0200 Message-Id: <20220703104806.27192-1-pali@kernel.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean PCIe config space has address range 0-4095. So do not allow reading from addresses outside of this range. Lot of U-Boot drivers do not expect that passed value is not in this range. PCI DM read function is exetended to fill read value to all ones or zeros when it fails as U-Boot callers ignores return value. Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing config space at the end (before 0x1000 address). Signed-off-by: Pali Rohár --- cmd/pci.c | 16 ++++++++++++++-- drivers/pci/pci-uclass.c | 10 +++++++++- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/cmd/pci.c b/cmd/pci.c index a99e8f8ad6e0..6258699fec81 100644 --- a/cmd/pci.c +++ b/cmd/pci.c @@ -358,6 +358,9 @@ static int pci_cfg_display(struct udevice *dev, ulong addr, if (length == 0) length = 0x40 / byte_size; /* Standard PCI config space */ + if (addr >= 4096) + return 1; + /* Print the lines. * once, and all accesses are with the specified bus width. */ @@ -378,7 +381,10 @@ static int pci_cfg_display(struct udevice *dev, ulong addr, rc = 1; break; } - } while (nbytes > 0); + } while (nbytes > 0 && addr < 4096); + + if (rc == 0 && nbytes > 0) + return 1; return (rc); } @@ -390,6 +396,9 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size, int nbytes; ulong val; + if (addr >= 4096) + return 1; + /* Print the address, followed by value. Then accept input for * the next value. A non-converted value exits. */ @@ -427,7 +436,10 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size, addr += size; } } - } while (nbytes); + } while (nbytes && addr < 4096); + + if (nbytes) + return 1; return 0; } diff --git a/drivers/pci/pci-uclass.c b/drivers/pci/pci-uclass.c index 89245a271e16..7402079471c8 100644 --- a/drivers/pci/pci-uclass.c +++ b/drivers/pci/pci-uclass.c @@ -288,6 +288,8 @@ int pci_bus_write_config(struct udevice *bus, pci_dev_t bdf, int offset, ops = pci_get_ops(bus); if (!ops->write_config) return -ENOSYS; + if (offset < 0 || offset >= 4096) + return -EINVAL; return ops->write_config(bus, bdf, offset, value, size); } @@ -366,8 +368,14 @@ int pci_bus_read_config(const struct udevice *bus, pci_dev_t bdf, int offset, struct dm_pci_ops *ops; ops = pci_get_ops(bus); - if (!ops->read_config) + if (!ops->read_config) { + *valuep = pci_conv_32_to_size(~0, offset, size); return -ENOSYS; + } + if (offset < 0 || offset >= 4096) { + *valuep = pci_conv_32_to_size(0, offset, size); + return -EINVAL; + } return ops->read_config(bus, bdf, offset, valuep, size); } -- 2.20.1