Re: [PATCH] pci: Add checks to prevent config space overflow

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Stefan Roese <sr@denx.de>
To: "Pali Rohár" <pali@kernel.org>, "Bin Meng" <bmeng.cn@gmail.com>,
	"Simon Glass" <sjg@chromium.org>
Cc: u-boot@lists.denx.de
Subject: Re: [PATCH] pci: Add checks to prevent config space overflow
Date: Mon, 4 Jul 2022 08:00:23 +0200	[thread overview]
Message-ID: <b79c7a13-e9bd-749a-acb7-34f06599072d@denx.de> (raw)
In-Reply-To: <20220703104806.27192-1-pali@kernel.org>

On 03.07.22 12:48, Pali Rohár wrote:
> PCIe config space has address range 0-4095. So do not allow reading from
> addresses outside of this range. Lot of U-Boot drivers do not expect that
> passed value is not in this range. PCI DM read function is exetended to

s/exetended/extended

> fill read value to all ones or zeros when it fails as U-Boot callers
> ignores return value.
> 
> Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing
> config space at the end (before 0x1000 address).
> 
> Signed-off-by: Pali Rohár <pali@kernel.org>
> ---
>   cmd/pci.c                | 16 ++++++++++++++--
>   drivers/pci/pci-uclass.c | 10 +++++++++-
>   2 files changed, 23 insertions(+), 3 deletions(-)
> 
> diff --git a/cmd/pci.c b/cmd/pci.c
> index a99e8f8ad6e0..6258699fec81 100644
> --- a/cmd/pci.c
> +++ b/cmd/pci.c
> @@ -358,6 +358,9 @@ static int pci_cfg_display(struct udevice *dev, ulong addr,
>   	if (length == 0)
>   		length = 0x40 / byte_size; /* Standard PCI config space */
>   
> +	if (addr >= 4096)
> +		return 1;
> +
>   	/* Print the lines.
>   	 * once, and all accesses are with the specified bus width.
>   	 */
> @@ -378,7 +381,10 @@ static int pci_cfg_display(struct udevice *dev, ulong addr,
>   			rc = 1;
>   			break;
>   		}
> -	} while (nbytes > 0);
> +	} while (nbytes > 0 && addr < 4096);
> +
> +	if (rc == 0 && nbytes > 0)
> +		return 1;
>   
>   	return (rc);
>   }
> @@ -390,6 +396,9 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
>   	int	nbytes;
>   	ulong val;
>   
> +	if (addr >= 4096)
> +		return 1;
> +
>   	/* Print the address, followed by value.  Then accept input for
>   	 * the next value.  A non-converted value exits.
>   	 */
> @@ -427,7 +436,10 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
>   					addr += size;
>   			}
>   		}
> -	} while (nbytes);
> +	} while (nbytes && addr < 4096);
> +
> +	if (nbytes)
> +		return 1;
>   
>   	return 0;
>   }
> diff --git a/drivers/pci/pci-uclass.c b/drivers/pci/pci-uclass.c
> index 89245a271e16..7402079471c8 100644
> --- a/drivers/pci/pci-uclass.c
> +++ b/drivers/pci/pci-uclass.c
> @@ -288,6 +288,8 @@ int pci_bus_write_config(struct udevice *bus, pci_dev_t bdf, int offset,
>   	ops = pci_get_ops(bus);
>   	if (!ops->write_config)
>   		return -ENOSYS;
> +	if (offset < 0 || offset >= 4096)
> +		return -EINVAL;
>   	return ops->write_config(bus, bdf, offset, value, size);
>   }
>   
> @@ -366,8 +368,14 @@ int pci_bus_read_config(const struct udevice *bus, pci_dev_t bdf, int offset,
>   	struct dm_pci_ops *ops;
>   
>   	ops = pci_get_ops(bus);
> -	if (!ops->read_config)
> +	if (!ops->read_config) {
> +		*valuep = pci_conv_32_to_size(~0, offset, size);
>   		return -ENOSYS;
> +	}
> +	if (offset < 0 || offset >= 4096) {
> +		*valuep = pci_conv_32_to_size(0, offset, size);
> +		return -EINVAL;
> +	}

How about introducing a macro for this 4096 max value instead?

Other than this:

Reviewed-by: Stefan Roese <sr@denx.de>

Thanks,
Stefan

next prev parent reply	other threads:[~2022-07-04  6:00 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-03 10:48 [PATCH] pci: Add checks to prevent config space overflow Pali Rohár
2022-07-04  6:00 ` Stefan Roese [this message]
2022-08-17 21:09   ` Pali Rohár
2022-08-27 12:06 ` Tom Rini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b79c7a13-e9bd-749a-acb7-34f06599072d@denx.de \
    --to=sr@denx.de \
    --cc=bmeng.cn@gmail.com \
    --cc=pali@kernel.org \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox