From patchwork Thu Aug 13 16:45:11 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Leon Alrae <leon.alrae@imgtec.com>
X-Patchwork-Id: 52401
Return-Path: <patchwork-forward+bncBDPILVOKSELBBY4TWOXAKGQEMXAGRFY@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-wi0-f200.google.com (mail-wi0-f200.google.com
 [209.85.212.200])
 by patches.linaro.org (Postfix) with ESMTPS id A261C22EC6
 for <linaro@patches.linaro.org>; Thu, 13 Aug 2015 16:46:28 +0000 (UTC)
Received: by wilj18 with SMTP id j18sf19200549wil.0
 for <linaro@patches.linaro.org>; Thu, 13 Aug 2015 09:46:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to
 :references:mime-version:content-type:cc:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list;
 bh=7nU4PkVay52p3iFj1bLfnlDMNqynCXTskRXTcNHUJWA=;
 b=Us7A+Ane08vb59Ate2MUuIpnrcJIsl3ZFhtRPdlshp50zge4ZgXk1x0UPGhGL5Sxa8
 8bgPgDlAdLXDSvpB1cAFK7OYV2gnkWz+JXCIIBT/PI5EJGHuMpVDYyuMfhZxtu3Nz/qY
 HXWvpDWR+cPNhsi++V1Lqpjr+4JvtffchceETtxB2Z4z5ZMFWM46e9la2HHwtxdPXJD2
 USUb7NTAad3mSJBbmp7a7uKUbXdi4VFJf2KawOgAA2bP/GkwuKvs0rM4+27jCJKdLHKx
 GS5Z/tMiVOWD58Ck8jv7w+ztZkwyJ+7o4Mvzws4eFPFDszcSZ/h1P30e9Tov59mDxe8i
 /I1g==
X-Gm-Message-State: ALoCoQmmyL1/NIZQFgMCJP85UuXlGzaRUpc6G51qB2UL4ijrsFuo9wCtMitKV/E4gsFSX2VScLnH
X-Received: by 10.112.16.200 with SMTP id i8mr11463699lbd.20.1439484387947; 
 Thu, 13 Aug 2015 09:46:27 -0700 (PDT)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.120.40 with SMTP id kz8ls209465lab.24.gmail; Thu, 13 Aug
 2015 09:46:27 -0700 (PDT)
X-Received: by 10.152.88.78 with SMTP id be14mr36794875lab.29.1439484387705; 
 Thu, 13 Aug 2015 09:46:27 -0700 (PDT)
Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com.
 [209.85.217.176]) by mx.google.com with ESMTPS id
 b10si3126182laf.14.2015.08.13.09.46.27
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 13 Aug 2015 09:46:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.176 as permitted sender) client-ip=209.85.217.176; 
Received: by lbbtg9 with SMTP id tg9so30680568lbb.1
 for <patchwork-forward@linaro.org>;
 Thu, 13 Aug 2015 09:46:27 -0700 (PDT)
X-Received: by 10.112.131.98 with SMTP id ol2mr37684227lbb.56.1439484387606; 
 Thu, 13 Aug 2015 09:46:27 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.7.198 with SMTP id l6csp1057910lba;
 Thu, 13 Aug 2015 09:46:26 -0700 (PDT)
X-Received: by 10.50.43.137 with SMTP id w9mr19443461igl.30.1439484386212;
 Thu, 13 Aug 2015 09:46:26 -0700 (PDT)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id
 kb7si1881714igb.41.2015.08.13.09.46.25 for <patch@linaro.org>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Thu, 13 Aug 2015 09:46:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:43431 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1ZPve5-0004MZ-3G
 for patch@linaro.org; Thu, 13 Aug 2015 12:46:25 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53301)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <Leon.Alrae@imgtec.com>) id 1ZPvdD-0003Hb-8u
 for qemu-devel@nongnu.org; Thu, 13 Aug 2015 12:45:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Leon.Alrae@imgtec.com>) id 1ZPvd8-0000BS-Pg
 for qemu-devel@nongnu.org; Thu, 13 Aug 2015 12:45:31 -0400
Received: from mailapp01.imgtec.com ([195.59.15.196]:53459)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <Leon.Alrae@imgtec.com>) id 1ZPvd8-0000BD-JC
 for qemu-devel@nongnu.org; Thu, 13 Aug 2015 12:45:26 -0400
Received: from KLMAIL01.kl.imgtec.org (unknown [192.168.5.35])
 by Websense Email Security Gateway with ESMTPS id 9FBBAE36B132;
 Thu, 13 Aug 2015 17:45:22 +0100 (IST)
Received: from hhmail02.hh.imgtec.org (10.100.10.20) by KLMAIL01.kl.imgtec.org
 (192.168.5.35) with Microsoft SMTP Server (TLS) id 14.3.195.1;
 Thu, 13 Aug 2015 17:45:25 +0100
Received: from lalrae-linux.kl.imgtec.org (192.168.14.163) by
 hhmail02.hh.imgtec.org (10.100.10.20) with Microsoft SMTP Server
 (TLS) id 14.3.235.1; Thu, 13 Aug 2015 17:45:25 +0100
From: Leon Alrae <leon.alrae@imgtec.com>
To: <qemu-devel@nongnu.org>
Date: Thu, 13 Aug 2015 17:45:11 +0100
Message-ID: <1439484312-21086-4-git-send-email-leon.alrae@imgtec.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1439484312-21086-1-git-send-email-leon.alrae@imgtec.com>
References: <1439484312-21086-1-git-send-email-leon.alrae@imgtec.com>
MIME-Version: 1.0
X-Originating-IP: [192.168.14.163]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 195.59.15.196
Cc: Peter Maydell <peter.maydell@linaro.org>
Subject: [Qemu-devel] [PULL 3/4] hw/pci-host/bonito: Avoid buffer overrun
 for bad LDMA/COP accesses
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: patch@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.176 as permitted sender)
 smtp.mailfrom=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

From: Peter Maydell <peter.maydell@linaro.org>

The LDMA and COP memory regions represent four 32 bit registers
each, but the memory regions themselves are 0x100 bytes large.
Add guards to the read and write accessors so that bogus accesses
beyond the four defined registers don't just run off the end of
the bonldma and boncop structs and into whatever lies beyond.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/pci-host/bonito.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/pci-host/bonito.c b/hw/pci-host/bonito.c
index 3a731fe..4139a2c 100644
--- a/hw/pci-host/bonito.c
+++ b/hw/pci-host/bonito.c
@@ -355,6 +355,10 @@ static uint64_t bonito_ldma_readl(void *opaque, hwaddr addr,
     uint32_t val;
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->bonldma)) {
+        return 0;
+    }
+
     val = ((uint32_t *)(&s->bonldma))[addr/sizeof(uint32_t)];
 
     return val;
@@ -365,6 +369,10 @@ static void bonito_ldma_writel(void *opaque, hwaddr addr,
 {
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->bonldma)) {
+        return;
+    }
+
     ((uint32_t *)(&s->bonldma))[addr/sizeof(uint32_t)] = val & 0xffffffff;
 }
 
@@ -384,6 +392,10 @@ static uint64_t bonito_cop_readl(void *opaque, hwaddr addr,
     uint32_t val;
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->boncop)) {
+        return 0;
+    }
+
     val = ((uint32_t *)(&s->boncop))[addr/sizeof(uint32_t)];
 
     return val;
@@ -394,6 +406,10 @@ static void bonito_cop_writel(void *opaque, hwaddr addr,
 {
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->boncop)) {
+        return;
+    }
+
     ((uint32_t *)(&s->boncop))[addr/sizeof(uint32_t)] = val & 0xffffffff;
 }