[Stable-9.1.2 43/58] ppc/pnv: ADU fix possible buffer overrun with inval

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-9.1.2 43/58] ppc/pnv: ADU fix possible buffer overrun with inval

From:	Michael Tokarev
Subject:	[Stable-9.1.2 43/58] ppc/pnv: ADU fix possible buffer overrun with invalid size
Date:	Sat, 9 Nov 2024 15:08:44 +0300

From: Nicholas Piggin <npiggin@gmail.com>

The ADU LPC transfer-size field is 7 bits, but the supported sizes for
LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could
overrun if firmware set an invalid size field, so add checks to reject
them with a message.

Cc: qemu-stable@nongnu.org
Reported-by: Cédric Le Goater <clg@redhat.com>
Resolves: Coverity CID 1558830
Fixes: 24bd283bccb33 ("ppc/pnv: Implement ADU access to LPC space")
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
(cherry picked from commit ddd2a060a0da41000ddca31e329ab1d54e37fedb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/pnv_adu.c b/hw/ppc/pnv_adu.c
index 81b7d6e526..f636dedf79 100644
--- a/hw/ppc/pnv_adu.c
+++ b/hw/ppc/pnv_adu.c
@@ -116,6 +116,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr, 
uint64_t val,
             uint32_t lpc_size = lpc_cmd_size(adu);
             uint64_t data = 0;
 
+            if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
+                qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
+                                               "size:%" PRId32 "\n", lpc_size);
+                break;
+            }
+
             pnv_lpc_opb_read(adu->lpc, lpc_addr, (void *)&data, lpc_size);
 
             /*
@@ -135,6 +141,12 @@ static void pnv_adu_xscom_write(void *opaque, hwaddr addr, 
uint64_t val,
             uint32_t lpc_size = lpc_cmd_size(adu);
             uint64_t data;
 
+            if (!is_power_of_2(lpc_size) || lpc_size > sizeof(data)) {
+                qemu_log_mask(LOG_GUEST_ERROR, "ADU: Unsupported LPC access "
+                                               "size:%" PRId32 "\n", lpc_size);
+                break;
+            }
+
             data = cpu_to_be64(val) >> ((lpc_addr & 7) * 8); /* See above */
             pnv_lpc_opb_write(adu->lpc, lpc_addr, (void *)&data, lpc_size);
         }
-- 
2.39.5

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-9.1.2 27/58] target/arm: Store FPSR cumulative exception bits in env->vfp.fpsr, (continued)
- [Stable-9.1.2 27/58] target/arm: Store FPSR cumulative exception bits in env->vfp.fpsr, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 28/58] stubs: avoid duplicate symbols in libqemuutil.a, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 36/58] target/riscv: Fix vcompress with rvv_ta_all_1s, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 37/58] target/ppc: Set ctx->opcode for decode_insn32(), Michael Tokarev, 2024/11/09
- [Stable-9.1.2 29/58] target/riscv/csr.c: Fix an access to VXSAT, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 32/58] target/riscv: Set vtype.vill on CPU reset, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 34/58] target/riscv/kvm: set 'aia_mode' to default in error path, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 38/58] target/ppc: Make divd[u] handler method decodetree compatible, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 40/58] ppc/pnv: Fix LPC POWER8 register sanity check, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 42/58] target/ppc: Fix HFSCR facility checks, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 43/58] ppc/pnv: ADU fix possible buffer overrun with invalid size, Michael Tokarev <=
- [Stable-9.1.2 39/58] ppc/pnv: Fix LPC serirq routing calculation, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 44/58] hw/ssi/pnv_spi: Match _xfer_buffer_free() with _xfer_buffer_new(), Michael Tokarev, 2024/11/09
- [Stable-9.1.2 41/58] target/ppc: Fix mtDPDES targeting SMT siblings, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 47/58] tests/tcg: Replace -mpower8-vector with -mcpu=power8, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 46/58] hw/ssi/pnv_spi: Fixes Coverity CID 1558831, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 45/58] hw/ssi/pnv_spi: Return early in transfer(), Michael Tokarev, 2024/11/09
- [Stable-9.1.2 52/58] Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32", Michael Tokarev, 2024/11/09
- [Stable-9.1.2 48/58] hw/sd/sdcard: Fix calculation of size when using eMMC boot partitions, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 49/58] qemu-ga: Fix a SIGSEGV in ga_run_command() helper, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 51/58] acpi/disassemle-aml.sh: fix up after dir reorg, Michael Tokarev, 2024/11/09

Prev by Date: [Stable-9.1.2 42/58] target/ppc: Fix HFSCR facility checks
Next by Date: [Stable-9.1.2 39/58] ppc/pnv: Fix LPC serirq routing calculation
Previous by thread: [Stable-9.1.2 42/58] target/ppc: Fix HFSCR facility checks
Next by thread: [Stable-9.1.2 39/58] ppc/pnv: Fix LPC serirq routing calculation
Index(es):
- Date
- Thread