From patchwork Thu Jul 30 15:33:42 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Maydell <peter.maydell@linaro.org>
X-Patchwork-Id: 51701
Return-Path: <patchwork-forward+bncBC6Z756YVMIBBWMH5GWQKGQE3T7TLQA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-lb0-f197.google.com (mail-lb0-f197.google.com
 [209.85.217.197])
 by patches.linaro.org (Postfix) with ESMTPS id 0514B22DB5
 for <linaro@patches.linaro.org>; Thu, 30 Jul 2015 15:33:47 +0000 (UTC)
Received: by lbbnr7 with SMTP id nr7sf13153684lbb.2
 for <linaro@patches.linaro.org>; Thu, 30 Jul 2015 08:33:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:x-original-sender:x-original-authentication-results
 :precedence:mailing-list:list-id:list-post:list-help:list-archive
 :list-unsubscribe;
 bh=/E6Vh6pRS1reIom3s+XUSmR6POfN30qhCmEAiPH+tHE=;
 b=SATBnJiYRdi7voIB+BN8LEGBouYvzLIhJT3ZM/YUgozXeZevETfJbGFdxwFmagsvPu
 n+6JG7CQxw+unT5eilYkupEocb4CHfCnoYcovlXI56Ue7vyeWEFFxIPEZNNjwjfB0Axf
 duhLOLWGliIujyWK3LwSCwkmbJO31SwvUs+yufI9Ll2ZEUztSbW9/rhs9lUwnlaYr3JJ
 szupMp4+mp61J7AxC4No5yiqN1T0UoIt21VTaeLpqxCnLDVwCD76Jqa9uXwrc4D87pKc
 dnHcaJ9OpNQT285+eXM00F/ytNfN2RtI8dgGKE2qxCO0pngTYXKxThvZ+YRZfQBmFfzO
 tUvg==
X-Gm-Message-State: ALoCoQn5kJumQTaf6CNy9d9z9a+56jOSWe4gEf/O+Dqv8uQ9fpdGGqaAy1MbQBY1qB90BZPEZjAc
X-Received: by 10.152.22.163 with SMTP id e3mr17909669laf.6.1438270425883;
 Thu, 30 Jul 2015 08:33:45 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.36.99 with SMTP id p3ls169075laj.57.gmail; Thu, 30 Jul
 2015 08:33:45 -0700 (PDT)
X-Received: by 10.152.116.109 with SMTP id jv13mr42366798lab.77.1438270425515; 
 Thu, 30 Jul 2015 08:33:45 -0700 (PDT)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com.
 [209.85.217.182]) by mx.google.com with ESMTPS id
 zo2si1092214lbb.103.2015.07.30.08.33.45
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 30 Jul 2015 08:33:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.182 as permitted sender) client-ip=209.85.217.182; 
Received: by lbbud7 with SMTP id ud7so25646880lbb.3
 for <patchwork-forward@linaro.org>;
 Thu, 30 Jul 2015 08:33:45 -0700 (PDT)
X-Received: by 10.112.198.74 with SMTP id ja10mr45066201lbc.19.1438270425423; 
 Thu, 30 Jul 2015 08:33:45 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.112.7.198 with SMTP id l6csp691634lba;
 Thu, 30 Jul 2015 08:33:44 -0700 (PDT)
X-Received: by 10.180.94.168 with SMTP id dd8mr7583475wib.76.1438270424618; 
 Thu, 30 Jul 2015 08:33:44 -0700 (PDT)
Received: from mnementh.archaic.org.uk (mnementh.archaic.org.uk.
 [2001:8b0:1d0::1]) by mx.google.com with ESMTPS id
 by10si2502092wjb.148.2015.07.30.08.33.44 for <patches@linaro.org>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Thu, 30 Jul 2015 08:33:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 pm215@archaic.org.uk designates 2001:8b0:1d0::1 as permitted
 sender) client-ip=2001:8b0:1d0::1; 
Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80)
 (envelope-from <pm215@archaic.org.uk>)
 id 1ZKpq2-0004h5-2I; Thu, 30 Jul 2015 16:33:42 +0100
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: patches@linaro.org, Aurelien Jarno <aurelien@aurel32.net>,
 Leon Alrae <leon.alrae@imgtec.com>
Subject: [PATCH] hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP
 accesses
Date: Thu, 30 Jul 2015 16:33:42 +0100
Message-Id: <1438270422-18018-1-git-send-email-peter.maydell@linaro.org>
X-Mailer: git-send-email 1.7.10.4
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: peter.maydell@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.182 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

The LDMA and COP memory regions represent four 32 bit registers
each, but the memory regions themselves are 0x100 bytes large.
Add guards to the read and write accessors so that bogus accesses
beyond the four defined registers don't just run off the end of
the bonldma and boncop structs and into whatever lies beyond.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
I don't have a fulong2e image, so this is compile tested only...

 hw/pci-host/bonito.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/pci-host/bonito.c b/hw/pci-host/bonito.c
index 3a731fe..4139a2c 100644
--- a/hw/pci-host/bonito.c
+++ b/hw/pci-host/bonito.c
@@ -355,6 +355,10 @@ static uint64_t bonito_ldma_readl(void *opaque, hwaddr addr,
     uint32_t val;
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->bonldma)) {
+        return 0;
+    }
+
     val = ((uint32_t *)(&s->bonldma))[addr/sizeof(uint32_t)];
 
     return val;
@@ -365,6 +369,10 @@ static void bonito_ldma_writel(void *opaque, hwaddr addr,
 {
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->bonldma)) {
+        return;
+    }
+
     ((uint32_t *)(&s->bonldma))[addr/sizeof(uint32_t)] = val & 0xffffffff;
 }
 
@@ -384,6 +392,10 @@ static uint64_t bonito_cop_readl(void *opaque, hwaddr addr,
     uint32_t val;
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->boncop)) {
+        return 0;
+    }
+
     val = ((uint32_t *)(&s->boncop))[addr/sizeof(uint32_t)];
 
     return val;
@@ -394,6 +406,10 @@ static void bonito_cop_writel(void *opaque, hwaddr addr,
 {
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->boncop)) {
+        return;
+    }
+
     ((uint32_t *)(&s->boncop))[addr/sizeof(uint32_t)] = val & 0xffffffff;
 }