[Qemu-devel] [PULL 20/21] m25p80: don't let rogue SPI controllers cause

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 20/21] m25p80: don't let rogue SPI controllers cause

From:	Peter Maydell
Subject:	[Qemu-devel] [PULL 20/21] m25p80: don't let rogue SPI controllers cause buffer overruns
Date:	Mon, 9 Jan 2017 11:53:43 +0000

From: Jean-Christophe Dubois <address@hidden>

In normal operation we should never attempt to put more
data into the data[] array than it can hold. However if the
SPI controller connected to us misbehaves then it can send
us a sequence of commands that attempt this. Since the
controller might be in the guest (if the hardware does SPI
via bit-banging), catch the possible overrun conditions and
reset the flash internal state, logging them as guest errors.

Signed-off-by: Jean-Christophe Dubois <address@hidden>
Message-id: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
[PMM: rewrote commit message to be more exact about when
 this can happen]
Signed-off-by: Peter Maydell <address@hidden>
---
 hw/block/m25p80.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index e3c1166..4c5f8c3 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -28,6 +28,7 @@
 #include "hw/ssi/ssi.h"
 #include "qemu/bitops.h"
 #include "qemu/log.h"
+#include "qemu/error-report.h"
 #include "qapi/error.h"
 
 #ifndef M25P80_ERR_DEBUG
@@ -377,6 +378,8 @@ typedef enum {
     MAN_GENERIC,
 } Manufacturer;
 
+#define M25P80_INTERNAL_DATA_BUFFER_SZ 16
+
 typedef struct Flash {
     SSISlave parent_obj;
 
@@ -387,7 +390,7 @@ typedef struct Flash {
     int page_size;
 
     uint8_t state;
-    uint8_t data[16];
+    uint8_t data[M25P80_INTERNAL_DATA_BUFFER_SZ];
     uint32_t len;
     uint32_t pos;
     uint8_t needed_bytes;
@@ -1115,6 +1118,17 @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t 
tx)
 
     case STATE_COLLECTING_DATA:
     case STATE_COLLECTING_VAR_LEN_DATA:
+
+        if (s->len >= M25P80_INTERNAL_DATA_BUFFER_SZ) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "M25P80: Write overrun internal data buffer. "
+                          "SPI controller (QEMU emulator or guest driver) "
+                          "is misbehaving\n");
+            s->len = s->pos = 0;
+            s->state = STATE_IDLE;
+            break;
+        }
+
         s->data[s->len] = (uint8_t)tx;
         s->len++;
 
@@ -1124,6 +1138,17 @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t 
tx)
         break;
 
     case STATE_READING_DATA:
+
+        if (s->pos >= M25P80_INTERNAL_DATA_BUFFER_SZ) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "M25P80: Read overrun internal data buffer. "
+                          "SPI controller (QEMU emulator or guest driver) "
+                          "is misbehaving\n");
+            s->len = s->pos = 0;
+            s->state = STATE_IDLE;
+            break;
+        }
+
         r = s->data[s->pos];
         s->pos++;
         if (s->pos == s->len) {
@@ -1196,7 +1221,7 @@ static const VMStateDescription vmstate_m25p80 = {
     .pre_save = m25p80_pre_save,
     .fields = (VMStateField[]) {
         VMSTATE_UINT8(state, Flash),
-        VMSTATE_UINT8_ARRAY(data, Flash, 16),
+        VMSTATE_UINT8_ARRAY(data, Flash, M25P80_INTERNAL_DATA_BUFFER_SZ),
         VMSTATE_UINT32(len, Flash),
         VMSTATE_UINT32(pos, Flash),
         VMSTATE_UINT8(needed_bytes, Flash),
-- 
2.7.4

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 00/21] target-arm queue, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 18/21] hw/arm/virt: remove VirtGuestInfo, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 20/21] m25p80: don't let rogue SPI controllers cause buffer overruns, Peter Maydell <=
- [Qemu-devel] [PULL 21/21] hw/ssi/imx_spi.c: Remove MSGDATA register support, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 19/21] hw/arm/virt-acpi-build: Don't incorrectly claim architectural timer to be edge-triggered, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 17/21] hw/arm/virt-acpi-build: don't save VirtGuestInfo on AcpiBuildState, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 14/21] hw/arm/virt: move VirtMachineState/Class to virt.h, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 12/21] hw/arm/virt: eliminate struct VirtGuestInfoState, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 11/21] hw/arm/virt: use VirtMachineState.gic_version, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 09/21] hw/arm/virt-acpi-build: fadt: improve flag naming, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 07/21] hw/arm/virt-acpi-build: name GIC CPU Interface Structure appropriately, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 15/21] hw/arm/virt: pass VirtMachineState instead of VirtGuestInfo, Peter Maydell, 2017/01/09
- [Qemu-devel] [PULL 05/21] hw/arm/virt: Don't incorrectly claim architectural timer to be edge-triggered, Peter Maydell, 2017/01/09

Prev by Date: [Qemu-devel] [PULL 18/21] hw/arm/virt: remove VirtGuestInfo
Next by Date: [Qemu-devel] [PULL 21/21] hw/ssi/imx_spi.c: Remove MSGDATA register support
Previous by thread: [Qemu-devel] [PULL 18/21] hw/arm/virt: remove VirtGuestInfo
Next by thread: [Qemu-devel] [PULL 21/21] hw/ssi/imx_spi.c: Remove MSGDATA register support
Index(es):
- Date
- Thread