[PATCH-for-9.0,v2,0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer

Message ID	20240409135944.24997-1-philmd@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org> To: qemu-devel@nongnu.org, Kevin Wolf <kwolf@redhat.com> Cc: Qiang Liu <cyruscyliu@gmail.com>, qemu-block@nongnu.org, Alexander Bulekov <alxndr@bu.edu>, Hanna Reitz <hreitz@redhat.com>, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org> Subject: [PATCH-for-9.0 v2 0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer Date: Tue, 9 Apr 2024 15:59:40 +0200 Message-ID: <20240409135944.24997-1-philmd@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::134; envelope-from=philmd@linaro.org; helo=mail-lf1-x134.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
Series	hw/block/nand: Fix out-of-bound access in NAND block buffer \| expand [PATCH-for-9.0,v2,0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer [PATCH-for-9.0,v2,1/3] hw/block/nand: Factor nand_load_iolen() method out [PATCH-for-9.0,v2,2/3] hw/block/nand: Have blk_load() take unsigned offset and return boolean [PATCH-for-9.0,v2,3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer

Message ID

20240409135944.24997-1-philmd@linaro.org

Headers

Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org,
	Kevin Wolf <kwolf@redhat.com>
Cc: Qiang Liu <cyruscyliu@gmail.com>, qemu-block@nongnu.org,
 Alexander Bulekov <alxndr@bu.edu>, Hanna Reitz <hreitz@redhat.com>,
	=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
Subject: [PATCH-for-9.0 v2 0/3] hw/block/nand: Fix out-of-bound access in NAND
 block buffer
Date: Tue,  9 Apr 2024 15:59:40 +0200
Message-ID: <20240409135944.24997-1-philmd@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::134;
 envelope-from=philmd@linaro.org; helo=mail-lf1-x134.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Series

hw/block/nand: Fix out-of-bound access in NAND block buffer | expand

Message

Philippe Mathieu-Daudé April 9, 2024, 1:59 p.m. UTC

Fix for https://gitlab.com/qemu-project/qemu/-/issues/1446

Since v1:
- Addressed Kevin trivial suggestions (unsigned offset)

Philippe Mathieu-Daudé (3):
  hw/block/nand: Factor nand_load_iolen() method out
  hw/block/nand: Have blk_load() take unsigned offset and return boolean
  hw/block/nand: Fix out-of-bound access in NAND block buffer

 hw/block/nand.c | 55 ++++++++++++++++++++++++++++++++++---------------
 1 file changed, 38 insertions(+), 17 deletions(-)

Comments

Philippe Mathieu-Daudé April 9, 2024, 2:04 p.m. UTC | #1

On 9/4/24 15:59, Philippe Mathieu-Daudé wrote:
> Fix for https://gitlab.com/qemu-project/qemu/-/issues/1446
> 
> Since v1:
> - Addressed Kevin trivial suggestions (unsigned offset)

$ git backport-diff
Key:
[----] : patches are identical
[####] : number of functional differences between upstream/downstream patch
[down] : patch is downstream-only
The flags [FC] indicate (F)unctional and (C)ontextual differences, 
respectively

001/       3:[0009] [FC] 'hw/block/nand: Factor nand_load_iolen() method 
out'
002/       3:[0004] [FC] 'hw/block/nand: Have blk_load() return boolean 
indicating success'
003/       3:[----] [-C] 'hw/block/nand: Fix out-of-bound access in NAND 
block buffer'

$ git diff
diff --git a/hw/block/nand.c b/hw/block/nand.c
index d90dc965a1..e2433c25bd 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -88,7 +88,7 @@ struct NANDFlashState {
       * Returns %true when block containing (@addr + @offset) is
       * successfully loaded, otherwise %false.
       */
-    bool (*blk_load)(NANDFlashState *s, uint64_t addr, int offset);
+    bool (*blk_load)(NANDFlashState *s, uint64_t addr, unsigned offset);

      uint32_t ioaddr_vmstate;
  };
@@ -251,18 +251,21 @@ static inline void nand_pushio_byte(NANDFlashState 
*s, uint8_t value)
   * nand_load_block: Load block containing (s->addr + @offset).
   * Returns length of data available at @offset in this block.
   */
-static int nand_load_block(NANDFlashState *s, int offset)
+static unsigned nand_load_block(NANDFlashState *s, unsigned offset)
  {
-    int iolen;
+    unsigned iolen;

      if (!s->blk_load(s, s->addr, offset)) {
          return 0;
      }

-    iolen = (1 << s->page_shift) - offset;
+    iolen = (1 << s->page_shift);
      if (s->gnd) {
          iolen += 1 << s->oob_shift;
      }
+    assert(offset <= iolen);
+    iolen -= offset;
+
      return iolen;
  }

@@ -776,7 +779,7 @@ static void glue(nand_blk_erase_, 
NAND_PAGE_SIZE)(NANDFlashState *s)
  }

  static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
-                uint64_t addr, int offset)
+                uint64_t addr, unsigned offset)
  {
      if (PAGE(addr) >= s->pages) {
          return false;
---

> 
> Philippe Mathieu-Daudé (3):
>    hw/block/nand: Factor nand_load_iolen() method out
>    hw/block/nand: Have blk_load() take unsigned offset and return boolean
>    hw/block/nand: Fix out-of-bound access in NAND block buffer
> 
>   hw/block/nand.c | 55 ++++++++++++++++++++++++++++++++++---------------
>   1 file changed, 38 insertions(+), 17 deletions(-)
>

Kevin Wolf April 9, 2024, 2:18 p.m. UTC | #2

Am 09.04.2024 um 15:59 hat Philippe Mathieu-Daudé geschrieben:
> Fix for https://gitlab.com/qemu-project/qemu/-/issues/1446
> 
> Since v1:
> - Addressed Kevin trivial suggestions (unsigned offset)

You already kept the Reviewed-by tags, but looks good to me.

Kevin

Philippe Mathieu-Daudé April 9, 2024, 2:31 p.m. UTC | #3

On 9/4/24 16:18, Kevin Wolf wrote:
> Am 09.04.2024 um 15:59 hat Philippe Mathieu-Daudé geschrieben:
>> Fix for https://gitlab.com/qemu-project/qemu/-/issues/1446
>>
>> Since v1:
>> - Addressed Kevin trivial suggestions (unsigned offset)
> 
> You already kept the Reviewed-by tags, but looks good to me.

Less work on your side ;)

The changes seemed trivial enough to keep them, but better
be safe than sorry.

Thanks!

Series queued.