From patchwork Tue Nov 10 21:52:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Pisa X-Patchwork-Id: 322890 Delivered-To: patch@linaro.org Received: by 2002:a05:6e02:5ce:0:0:0:0 with SMTP id l14csp593561ils; Tue, 10 Nov 2020 13:57:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJxLZJmYYFXCI7sbJJu1x4RabU45OXkx6DE02S/Np7Ph6CLM1HqkZMGGPehEOmcclOwh8vaL X-Received: by 2002:a25:aaa1:: with SMTP id t30mr6329006ybi.265.1605045455514; Tue, 10 Nov 2020 13:57:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605045455; cv=none; d=google.com; s=arc-20160816; b=W+Xp4brBKfPrkFLP0gOaikE0CCjOsoZtw/80PSbsnpQ04dnVeDvTw+jxkfqmVJI27b fHrIGBzH+JcdfdQ8mf1KQF+uR4v4dT0xrePjLyQ8pO6llmmjgGhi4VpizJJ0C0Lef53t ibcmW5AubnrI4oYGxWGCLmlYmcVYFngtN6nwF5SAci+LuVahpgBSwtYyXLD/nap2EFyr qP4d+xOGBLEtscApkeW+hsFi2Ggz1iyyFvA/qe8gaiGf7coTaiMZTkq+4x+ERztwrGO5 NPXSe2mQWfWGfm9ouwTr40Uv1WM2SEF7YflSVcNymidO1vgYLhu/GRnyVJqeGH19q9UX LaJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from; bh=aED4sVBi+/AhSfzRw8X3kV2Pb3OlPTZ8fzgg3AYmxJ0=; b=uSBfx/hxFHKRGNfOEGTwZSfeznDsbVOkiP21Bi129OJecjwJEohi0hp3++5JlwdlCV 646NJIm1ZcZw25OjzKWvw6Qjk2mMM04EVmHYfAlBZfVax5MIrjEDUMDrQSjrrb9MWiIW Tr/pzsgGXwdno5kFGCX1H+MTXLLqhkCz6iVzzl84usRzFIwBCH0RVOL83UbOhfQTrtww AIHBGyyuQgjuU3c4c0+aRI1DkMM0PP3RLRmf8+PRGC09DMlsJmsVxru9U6BjhvKf/gAp f3wreHXWUIQXEjunOe9rsyd02bDvIlMj83lllwVHjIBoCksk9UQWwhymKn0uCy8/t6bi i08A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id q2si77395ybc.21.2020.11.10.13.57.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 10 Nov 2020 13:57:35 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1]:57034 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcbdu-0007dz-VE for patch@linaro.org; Tue, 10 Nov 2020 16:57:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcbb6-0007bj-Pe for qemu-devel@nongnu.org; Tue, 10 Nov 2020 16:54:40 -0500 Received: from relay.felk.cvut.cz ([2001:718:2:1611:0:1:0:70]:14116) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcbb5-0002cS-1L for qemu-devel@nongnu.org; Tue, 10 Nov 2020 16:54:40 -0500 Received: from cmp.felk.cvut.cz (haar.felk.cvut.cz [147.32.84.19]) by relay.felk.cvut.cz (8.15.2/8.15.2) with ESMTP id 0AALrZM2095294; Tue, 10 Nov 2020 22:53:35 +0100 (CET) (envelope-from pisa@cmp.felk.cvut.cz) Received: from haar.felk.cvut.cz (localhost [127.0.0.1]) by cmp.felk.cvut.cz (8.14.0/8.12.3/SuSE Linux 0.6) with ESMTP id 0AALrYqA028054; Tue, 10 Nov 2020 22:53:34 +0100 Received: (from pisa@localhost) by haar.felk.cvut.cz (8.14.0/8.13.7/Submit) id 0AALrYHZ028053; Tue, 10 Nov 2020 22:53:34 +0100 From: Pavel Pisa To: qemu-devel@nongnu.org, Peter Maydell Subject: [PATCH for-5.2 v3 1/4] hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer Date: Tue, 10 Nov 2020 22:52:47 +0100 Message-Id: <94d4236dee6973978398e6e2a3a321b65a7d35be.1605044619.git.pisa@cmp.felk.cvut.cz> X-Mailer: git-send-email 2.20.1 In-Reply-To: References: MIME-Version: 1.0 X-FELK-MailScanner-Information: X-MailScanner-ID: 0AALrZM2095294 X-FELK-MailScanner: Found to be clean X-FELK-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.099, required 6, BAYES_00 -0.50, KHOP_HELO_FCRDNS 0.40, SPF_HELO_NONE 0.00, SPF_NONE 0.00) X-FELK-MailScanner-From: pisa@cmp.felk.cvut.cz X-FELK-MailScanner-Watermark: 1605650019.03741@U0Ja59RiVa3UlzW+OwSn8Q Received-SPF: none client-ip=2001:718:2:1611:0:1:0:70; envelope-from=pisa@cmp.felk.cvut.cz; helo=relay.felk.cvut.cz X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/10 16:54:16 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pavel Pisa , Jason Wang , Vikram Garhwal , Ondrej Ille , =?utf-8?q?Jan_Charv=C3=A1t?= Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The ctucan device has 4 CAN bus cores, each of which has a set of 20 32-bit registers for writing the transmitted data. The registers are however not contiguous; each core's buffers is 0x100 bytes after the last. We got the checks on the address wrong in the ctucan_mem_write() function: * the first "is addr in range at all" check allowed addr == CTUCAN_CORE_MEM_SIZE, which is actually the first byte off the end of the range * the decode of addresses into core-number plus offset in the tx buffer for that core failed to check that the offset was in range, so the guest could write off the end of the tx_buffer[] array NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM, etc, make "buff_num >= CTUCAN_CORE_TXBUF_NUM" impossible, but we retain this as a runtime check rather than an assertion to permit those values to be changed in future (in hardware they are configurable synthesis parameters). Fix the top level check, and check the offset is within the buffer. Fixes: Coverity CID 1432874 Signed-off-by: Peter Maydell Signed-off-by: Pavel Pisa Tested-by: Pavel Pisa --- hw/net/can/ctucan_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.20.1 diff --git a/hw/net/can/ctucan_core.c b/hw/net/can/ctucan_core.c index d20835cd7e..8486f429d7 100644 --- a/hw/net/can/ctucan_core.c +++ b/hw/net/can/ctucan_core.c @@ -303,7 +303,7 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val, DPRINTF("write 0x%02llx addr 0x%02x\n", (unsigned long long)val, (unsigned int)addr); - if (addr > CTUCAN_CORE_MEM_SIZE) { + if (addr >= CTUCAN_CORE_MEM_SIZE) { return; } @@ -312,7 +312,9 @@ void ctucan_mem_write(CtuCanCoreState *s, hwaddr addr, uint64_t val, addr -= CTU_CAN_FD_TXTB1_DATA_1; buff_num = addr / CTUCAN_CORE_TXBUFF_SPAN; addr %= CTUCAN_CORE_TXBUFF_SPAN; - if (buff_num < CTUCAN_CORE_TXBUF_NUM) { + addr &= ~3; + if ((buff_num < CTUCAN_CORE_TXBUF_NUM) && + (addr < sizeof(s->tx_buffer[buff_num].data))) { uint32_t *bufp = (uint32_t *)(s->tx_buffer[buff_num].data + addr); *bufp = cpu_to_le32(val); }