From patchwork Thu Aug 13 16:45:11 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Leon Alrae <leon.alrae@imgtec.com>
X-Patchwork-Id: 507090
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3067E1401AF
	for <incoming@patchwork.ozlabs.org>;
	Fri, 14 Aug 2015 02:46:09 +1000 (AEST)
Received: from localhost ([::1]:43431 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1ZPvdn-0004MZ-D2
	for incoming@patchwork.ozlabs.org; Thu, 13 Aug 2015 12:46:07 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53301)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Leon.Alrae@imgtec.com>) id 1ZPvdD-0003Hb-8u
	for qemu-devel@nongnu.org; Thu, 13 Aug 2015 12:45:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Leon.Alrae@imgtec.com>) id 1ZPvd8-0000BS-Pg
	for qemu-devel@nongnu.org; Thu, 13 Aug 2015 12:45:31 -0400
Received: from mailapp01.imgtec.com ([195.59.15.196]:53459)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Leon.Alrae@imgtec.com>) id 1ZPvd8-0000BD-JC
	for qemu-devel@nongnu.org; Thu, 13 Aug 2015 12:45:26 -0400
Received: from KLMAIL01.kl.imgtec.org (unknown [192.168.5.35])
	by Websense Email Security Gateway with ESMTPS id 9FBBAE36B132;
	Thu, 13 Aug 2015 17:45:22 +0100 (IST)
Received: from hhmail02.hh.imgtec.org (10.100.10.20) by
	KLMAIL01.kl.imgtec.org
	(192.168.5.35) with Microsoft SMTP Server (TLS) id 14.3.195.1;
	Thu, 13 Aug 2015 17:45:25 +0100
Received: from lalrae-linux.kl.imgtec.org (192.168.14.163) by
	hhmail02.hh.imgtec.org (10.100.10.20) with Microsoft SMTP Server
	(TLS) id 14.3.235.1; Thu, 13 Aug 2015 17:45:25 +0100
From: Leon Alrae <leon.alrae@imgtec.com>
To: <qemu-devel@nongnu.org>
Date: Thu, 13 Aug 2015 17:45:11 +0100
Message-ID: <1439484312-21086-4-git-send-email-leon.alrae@imgtec.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1439484312-21086-1-git-send-email-leon.alrae@imgtec.com>
References: <1439484312-21086-1-git-send-email-leon.alrae@imgtec.com>
MIME-Version: 1.0
X-Originating-IP: [192.168.14.163]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 195.59.15.196
Cc: Peter Maydell <peter.maydell@linaro.org>
Subject: [Qemu-devel] [PULL 3/4] hw/pci-host/bonito: Avoid buffer overrun
	for bad LDMA/COP accesses
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

From: Peter Maydell <peter.maydell@linaro.org>

The LDMA and COP memory regions represent four 32 bit registers
each, but the memory regions themselves are 0x100 bytes large.
Add guards to the read and write accessors so that bogus accesses
beyond the four defined registers don't just run off the end of
the bonldma and boncop structs and into whatever lies beyond.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/pci-host/bonito.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/pci-host/bonito.c b/hw/pci-host/bonito.c
index 3a731fe..4139a2c 100644
--- a/hw/pci-host/bonito.c
+++ b/hw/pci-host/bonito.c
@@ -355,6 +355,10 @@ static uint64_t bonito_ldma_readl(void *opaque, hwaddr addr,
     uint32_t val;
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->bonldma)) {
+        return 0;
+    }
+
     val = ((uint32_t *)(&s->bonldma))[addr/sizeof(uint32_t)];
 
     return val;
@@ -365,6 +369,10 @@ static void bonito_ldma_writel(void *opaque, hwaddr addr,
 {
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->bonldma)) {
+        return;
+    }
+
     ((uint32_t *)(&s->bonldma))[addr/sizeof(uint32_t)] = val & 0xffffffff;
 }
 
@@ -384,6 +392,10 @@ static uint64_t bonito_cop_readl(void *opaque, hwaddr addr,
     uint32_t val;
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->boncop)) {
+        return 0;
+    }
+
     val = ((uint32_t *)(&s->boncop))[addr/sizeof(uint32_t)];
 
     return val;
@@ -394,6 +406,10 @@ static void bonito_cop_writel(void *opaque, hwaddr addr,
 {
     PCIBonitoState *s = opaque;
 
+    if (addr >= sizeof(s->boncop)) {
+        return;
+    }
+
     ((uint32_t *)(&s->boncop))[addr/sizeof(uint32_t)] = val & 0xffffffff;
 }