[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 10/67] ppc/pnv: ADU fix possible buffer overrun with invalid size
From: |
Nicholas Piggin |
Subject: |
[PULL 10/67] ppc/pnv: ADU fix possible buffer overrun with invalid size |
Date: |
Mon, 4 Nov 2024 10:17:59 +1000 |
The ADU LPC transfer-size field is 7 bits, but the supported sizes for
LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could
overrun if firmware set an invalid size field, so add checks to reject
them with a message.
Cc: qemu-stable@nongnu.org
Reported-by: Cédric Le Goater <clg@redhat.com>
Resolves: Coverity CID 1558830
Fixes: 24bd283bccb33 ("ppc/pnv: Implement ADU access to LPC space")
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
hw/ppc/pnv_adu.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/ppc/pnv_adu.c b/hw/ppc/pnv_adu.c
index 81b7d6e526..f636dedf79 100644
--- a/hw/ppc/pnv_adu.c
+++ b/hw/ppc/pnv_adu.c
@@ -116,6 +116,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr,
uint64_t val,
uint32_t lpc_size = lpc_cmd_size(adu);
uint64_t data = 0;
+ if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
+ "size:%" PRId32 "\n", lpc_size);
+ break;
+ }
+
pnv_lpc_opb_read(adu->lpc, lpc_addr, (void *)&data, lpc_size);
/*
@@ -135,6 +141,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr,
uint64_t val,
uint32_t lpc_size = lpc_cmd_size(adu);
uint64_t data;
+ if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
+ "size:%" PRId32 "\n", lpc_size);
+ break;
+ }
+
data = cpu_to_be64(val) >> ((lpc_addr & 7) * 8); /* See above */
pnv_lpc_opb_write(adu->lpc, lpc_addr, (void *)&data, lpc_size);
}
--
2.45.2
- Re: [PULL 02/67] target/ppc: Make divd[u] handler method decodetree compatible, (continued)
- [PULL 03/67] ppc/pnv: Fix LPC serirq routing calculation, Nicholas Piggin, 2024/11/03
- [PULL 04/67] ppc/pnv: Fix LPC POWER8 register sanity check, Nicholas Piggin, 2024/11/03
- [PULL 05/67] target/ppc: Fix mtDPDES targeting SMT siblings, Nicholas Piggin, 2024/11/03
- [PULL 06/67] target/ppc: PMIs are level triggered, Nicholas Piggin, 2024/11/03
- [PULL 07/67] target/ppc: Fix doorbell delivery to threads in powersave, Nicholas Piggin, 2024/11/03
- [PULL 08/67] target/ppc: Fix HFSCR facility checks, Nicholas Piggin, 2024/11/03
- [PULL 09/67] target/ppc: Fix VRMA to not check virtual page class key protection, Nicholas Piggin, 2024/11/03
- [PULL 10/67] ppc/pnv: ADU fix possible buffer overrun with invalid size,
Nicholas Piggin <=
- [PULL 11/67] MAINTAINERS: Cover PowerPC SPI model in PowerNV section, Nicholas Piggin, 2024/11/03
- [PULL 12/67] hw/ssi/pnv_spi: Match _xfer_buffer_free() with _xfer_buffer_new(), Nicholas Piggin, 2024/11/03
- [PULL 13/67] hw/ssi/pnv_spi: Return early in transfer(), Nicholas Piggin, 2024/11/03
- [PULL 14/67] hw/ssi/pnv_spi: Fixes Coverity CID 1558831, Nicholas Piggin, 2024/11/03
- [PULL 15/67] tests/tcg: Replace -mpower8-vector with -mcpu=power8, Nicholas Piggin, 2024/11/03
- [PULL 16/67] hw/ppc: fix decrementer with BookE timers, Nicholas Piggin, 2024/11/03
- [PULL 17/67] ppc/spapr: remove deprecated machine pseries-2.1, Nicholas Piggin, 2024/11/03
- [PULL 18/67] ppc/spapr: remove deprecated machine pseries-2.2, Nicholas Piggin, 2024/11/03
- [PULL 23/67] ppc/spapr: remove deprecated machine pseries-2.7, Nicholas Piggin, 2024/11/03
- [PULL 21/67] ppc/spapr: remove deprecated machine pseries-2.5, Nicholas Piggin, 2024/11/03