From patchwork Mon Apr 30 20:02:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcel Apfelbaum X-Patchwork-Id: 906844 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=208.118.235.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="V0cXHagI"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40Zb7P1hYHz9s2Y for ; Tue, 1 May 2018 06:02:52 +1000 (AEST) Received: from localhost ([::1]:33155 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fDF0b-0003mX-Rv for incoming@patchwork.ozlabs.org; Mon, 30 Apr 2018 16:02:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48741) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fDEzp-0003kf-2X for qemu-devel@nongnu.org; Mon, 30 Apr 2018 16:02:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fDEzo-0005tO-9B for qemu-devel@nongnu.org; Mon, 30 Apr 2018 16:02:01 -0400 Received: from mail-wr0-x241.google.com ([2a00:1450:400c:c0c::241]:33223) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fDEzo-0005so-3s for qemu-devel@nongnu.org; Mon, 30 Apr 2018 16:02:00 -0400 Received: by mail-wr0-x241.google.com with SMTP id o4-v6so9128981wrm.0 for ; Mon, 30 Apr 2018 13:01:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mOBL3/tVrjzihB2tcQlm73fbfVyrymtWB3zM5FZ/oLA=; b=V0cXHagItMiGUa6xn2d++nFDtApfeyn/jkw+PO7BaQ2ctd1Zne+Ikl+QAUSQA1W7LD 43Kn2cbuBXzajijkiLZlBmqo5RTDjvJXUbAiA/dRx877mmkkyLFk9y3tZxRcEfFPcML9 krqZqvSHalbBMV3+kcc26jJbagD4sc2Jn3Fgnpzr9wQHqQ3rA2RZlXQu0T9/zaZDak6a pu6S+JX3hpoAT+d+Gt9V8h/BvcteGm1l8bs4jsj8F57sldJ2HP74ks6Z6kQhxWVmcEER lDnrG9sK8b2UZ50QhQ/+IP2TYpOd22gnrSXI6cs4PtG60Uq4GqUGM9wMN+jYdGFvOQzv EZIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mOBL3/tVrjzihB2tcQlm73fbfVyrymtWB3zM5FZ/oLA=; b=uckxGHGd5awGkwI9v5XeGMmpughwqw6LrxFDDwxm59cPo1TR5TDIwFRveKt16T9SEI 6ju6Am1U56bs6OSfzXvGekXUN6TkHCScv3ftiRXnxvkYQwrpFoy0sBzNilRelbJdAgdC +TDmbBaVShHLksgFuDbsGc/SxSTNqc/djycCnCE8UcYAOTnWJq3Tr0Z6UawbWI0fgjgK TPQBCXhG9NvFLRD/wA4jpOmtLVh/vV24ieTEwuxjGnv7HPNn+nzGJdBB8sxgLnDYSBRr tfvJQH1VUxGpz/xZr6tVVkfD9p7bG32W1VFQq4/XTlQ1OWHeuIlMaIykHBRNLxI3btIc PkjQ== X-Gm-Message-State: ALQs6tAHakhAPRLpC3/DvZRkzUdvvg5Heh2lv4rq9v0Y3WD4aChYw00w rFy6Z2tRyIEg2FR8xPrnb+cVqg== X-Google-Smtp-Source: AB8JxZrbPOhN9LZ5pAcpecEVlbmGB2kqa6BTfRHEpLdRiTGZIqzsseSs+UgtdBH7d/ApB4VPS7Vf9A== X-Received: by 2002:adf:9cc2:: with SMTP id h2-v6mr397466wre.11.1525118518785; Mon, 30 Apr 2018 13:01:58 -0700 (PDT) Received: from localhost.localdomain ([176.228.154.53]) by smtp.gmail.com with ESMTPSA id u35-v6sm8455997wrc.29.2018.04.30.13.01.57 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 30 Apr 2018 13:01:58 -0700 (PDT) From: Marcel Apfelbaum To: qemu-devel@nongnu.org Date: Mon, 30 Apr 2018 23:02:20 +0300 Message-Id: <20180430200223.4119-5-marcel.apfelbaum@gmail.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180430200223.4119-1-marcel.apfelbaum@gmail.com> References: <20180430200223.4119-1-marcel.apfelbaum@gmail.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::241 Subject: [Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, yuval.shaia@oracle.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Yuval Shaia Array size is MAX_PORT_GIDS, let's make sure the given index is in range. While there limit device table size to 1. Reported-by: Peter Maydell Signed-off-by: Yuval Shaia Reviewed-by: Marcel Apfelbaum --- hw/rdma/rdma_rm_defs.h | 2 +- hw/rdma/vmw/pvrdma_cmd.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h index 45503f14e0..4d22a20e4c 100644 --- a/hw/rdma/rdma_rm_defs.h +++ b/hw/rdma/rdma_rm_defs.h @@ -20,9 +20,9 @@ #define MAX_PORTS 1 #define MAX_PORT_GIDS 1 +#define MAX_GIDS MAX_PORT_GIDS #define MAX_PORT_PKEYS 1 #define MAX_PKEYS MAX_PORT_PKEYS -#define MAX_GIDS 2048 #define MAX_UCS 512 #define MAX_MR_SIZE (1UL << 27) #define MAX_QP 1024 diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index f9dd78cb27..14255d609f 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd_req *req, pr_dbg("index=%d\n", cmd->index); - if (cmd->index > MAX_PORT_GIDS) { + if (cmd->index >= MAX_PORT_GIDS) { return -EINVAL; } @@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union pvrdma_cmd_req *req, { struct pvrdma_cmd_destroy_bind *cmd = &req->destroy_bind; - pr_dbg("clear index %d\n", cmd->index); + pr_dbg("index=%d\n", cmd->index); + + if (cmd->index >= MAX_PORT_GIDS) { + return -EINVAL; + } memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0, sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw));