From patchwork Wed Nov 11 13:11:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 322926 Delivered-To: patch@linaro.org Received: by 2002:a17:906:d156:0:0:0:0 with SMTP id br22csp662810ejb; Wed, 11 Nov 2020 05:32:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJxi7vk1aBCkR4uoTgztHespbkvBkhLMkiJZvhBaHtIwhbYa5CE5Bymd5F2EbTFDAyqrPOCW X-Received: by 2002:a25:888a:: with SMTP id d10mr34535661ybl.406.1605101534227; Wed, 11 Nov 2020 05:32:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605101534; cv=none; d=google.com; s=arc-20160816; b=wiUPFGI5JWMOMs7qtGSa9fq4Sci9ZnLoCpDMJWksPADiB+kV2smtETYCNPlF7/WlOq tPoXrC3QXlSrR4BtfLD2X/Inj+kpnx2pIuV7uHoxCRaPKjrIcEnIgBQy5kEdUuk/rCGP BA7BR5uHfgRbBa+XYR7PqFwqfs1oeTE9oALhYNVXSynOwWM0F/bFUodhVzkUm0blQn2N jh+stUbVgOWSgNxr58roUKOys7tO/qtpMaRcHexdazK82r2l676Ph1PYKeYXx86CSaNv 0BeiOPxRIiThVhBTppY/5qvxMA3S7rwbscfdttENRypRsqS9VTnYenY8gnOu7HLpRHAH iUJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=FZNuZNSALLZhBLBMem6DriO7AmdJ8F3r0mh6HWNNVcw=; b=0G4NEkzhpRVzUiySZ7EvNQsHk8bFkmewPzS4CyIk2+H7eDxOatE3UThvPyRrJKD5Lk toKJYJQ1h+j0RphWyB3Fc4gqwXD0p5H8vonPowomQvV4GUuZVaztFGarXSwEvXew16eA /mpwF07O8XbFrmcY0Dw1MKzQsQu+IcGMt26iznqy4xzLICmiDXzZls1QlTxrswF6hxwo s8QqbUCu/WkExJQGnJS6EfqU4G9goP0HH8qI3zZaAHThGrfjVD4hTVbKPZfYOqyT/qKS f/Lgy67kekJTicuMP4vYFL/ZKDwcds3zc2XfJ5ZB6C0qZAqlLeijJ6jYSuXoFO650C11 qyig== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@redhat.com header.s=mimecast20190719 header.b=Iuhb7pHC; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id i13si2072473ybp.288.2020.11.11.05.32.14 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 11 Nov 2020 05:32:14 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=fail header.i=@redhat.com header.s=mimecast20190719 header.b=Iuhb7pHC; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from localhost ([::1]:48416 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcqEP-0001C5-LM for patch@linaro.org; Wed, 11 Nov 2020 08:32:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:44630) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcpvG-0007K6-Nf for qemu-devel@nongnu.org; Wed, 11 Nov 2020 08:12:26 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:27927) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kcpvE-0002FU-Pn for qemu-devel@nongnu.org; Wed, 11 Nov 2020 08:12:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605100344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type:in-reply-to:in-reply-to: references:references; bh=FZNuZNSALLZhBLBMem6DriO7AmdJ8F3r0mh6HWNNVcw=; b=Iuhb7pHCgvYvD512CpbBSY8Go7QNjg4HWAS/5ZwY7xl1tEVXv8+7f1QYDbrjEzKH2ybEn8 RB0Bvxp4/H97ZHP6KD2/N4uiBj/XrU6TuZqboopmxj0c2VhiECHZasexvAcFUfbgbVCgGP lXaqc3n0XEnCRGIPkRK7xIUiC8U0VCg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-224-VvpyrAUtOb2sCoLS4f2IVw-1; Wed, 11 Nov 2020 08:12:19 -0500 X-MC-Unique: VvpyrAUtOb2sCoLS4f2IVw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CECFD64081; Wed, 11 Nov 2020 13:12:18 +0000 (UTC) Received: from jason-ThinkPad-T430s.redhat.com (ovpn-12-61.pek2.redhat.com [10.72.12.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3BF1555760; Wed, 11 Nov 2020 13:12:16 +0000 (UTC) From: Jason Wang To: qemu-devel@nongnu.org, peter.maydell@linaro.org Subject: [PULL 14/17] hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer Date: Wed, 11 Nov 2020 21:11:38 +0800 Message-Id: <1605100301-11317-15-git-send-email-jasowang@redhat.com> In-Reply-To: <1605100301-11317-1-git-send-email-jasowang@redhat.com> References: <1605100301-11317-1-git-send-email-jasowang@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jasowang@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=63.128.21.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/11 01:42:46 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jason Wang , Pavel Pisa Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The ctucan device has 4 CAN bus cores, each of which has a set of 20 32-bit registers for writing the transmitted data. The registers are however not contiguous; each core's buffers is 0x100 bytes after the last. We got the checks on the address wrong in the ctucan_mem_write() function: * the first "is addr in range at all" check allowed addr == CTUCAN_CORE_MEM_SIZE, which is actually the first byte off the end of the range * the decode of addresses into core-number plus offset in the tx buffer for that core failed to check that the offset was in range, so the guest could write off the end of the tx_buffer[] array NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM, etc, make "buff_num >= CTUCAN_CORE_TXBUF_NUM" impossible, but we retain this as a runtime check rather than an assertion to permit those values to be changed in future (in hardware they are configurable synthesis parameters). Fix the top level check, and check the offset is within the buffer. Fixes: Coverity CID 1432874 Signed-off-by: Peter Maydell Signed-off-by: Pavel Pisa Tested-by: Pavel Pisa Signed-off-by: Jason Wang --- hw/net/can/ctucan_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/hw/net/can/ctucan_core.c b/hw/net/can/ctucan_core.c index d20835c..8486f42 100644 --- a/hw/net/can/ctucan_core.c +++ b/hw/net/can/ctucan_core.c @@ -303,7 +303,7 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val, DPRINTF("write 0x%02llx addr 0x%02x\n", (unsigned long long)val, (unsigned int)addr); - if (addr > CTUCAN_CORE_MEM_SIZE) { + if (addr >= CTUCAN_CORE_MEM_SIZE) { return; } @@ -312,7 +312,9 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val, addr -= CTU_CAN_FD_TXTB1_DATA_1; buff_num = addr / CTUCAN_CORE_TXBUFF_SPAN; addr %= CTUCAN_CORE_TXBUFF_SPAN; - if (buff_num < CTUCAN_CORE_TXBUF_NUM) { + addr &= ~3; + if ((buff_num < CTUCAN_CORE_TXBUF_NUM) && + (addr < sizeof(s->tx_buffer[buff_num].data))) { uint32_t *bufp = (uint32_t *)(s->tx_buffer[buff_num].data + addr); *bufp = cpu_to_le32(val); }