david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hw/rdma: Fix possible out of bounds access to regs array

Browse Source 
Coverity (CID1390589, CID1390608).
Array size is RDMA_BAR1_REGS_SIZE, let's make sure the given address is
in range.

While there also:
1. Adjust the size of this bar to reasonable size
2. Report the size of the array with sizeof(array)

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Message-Id: <20180430200223.4119-6-marcel.apfelbaum@gmail.com>
This commit is contained in:
Yuval Shaia 2018-04-30 23:02:21 +03:00 committed by Marcel Apfelbaum
parent c387e8a4ec
commit 350929172b
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hw/rdma/vmw/pvrdma.h
View File

@ -31,7 +31,7 @@
#define RDMA_REG_BAR_IDX 1 #define RDMA_REG_BAR_IDX 1
#define RDMA_UAR_BAR_IDX 2 #define RDMA_UAR_BAR_IDX 2
#define RDMA_BAR0_MSIX_SIZE (16 * 1024) #define RDMA_BAR0_MSIX_SIZE (16 * 1024)
#define RDMA_BAR1_REGS_SIZE 256 #define RDMA_BAR1_REGS_SIZE 64
#define RDMA_BAR2_UAR_SIZE (0x1000 * MAX_UCS) /* each uc gets page */ #define RDMA_BAR2_UAR_SIZE (0x1000 * MAX_UCS) /* each uc gets page */
/* MSIX */ /* MSIX */
@ -86,7 +86,7 @@ static inline int get_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t *val)
{ {
int idx = addr >> 2; int idx = addr >> 2;
if (idx > RDMA_BAR1_REGS_SIZE) { if (idx >= RDMA_BAR1_REGS_SIZE) {
return -EINVAL; return -EINVAL;
} }
@ -99,7 +99,7 @@ static inline int set_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t val)
{ {
int idx = addr >> 2; int idx = addr >> 2;
if (idx > RDMA_BAR1_REGS_SIZE) { if (idx >= RDMA_BAR1_REGS_SIZE) {
return -EINVAL; return -EINVAL;
} }

4
hw/rdma/vmw/pvrdma_main.c
View File

@ -449,14 +449,14 @@ static void init_bars(PCIDevice *pdev)
/* BAR 1 - Registers */ /* BAR 1 - Registers */
memset(&dev->regs_data, 0, sizeof(dev->regs_data)); memset(&dev->regs_data, 0, sizeof(dev->regs_data));
memory_region_init_io(&dev->regs, OBJECT(dev), &regs_ops, dev, memory_region_init_io(&dev->regs, OBJECT(dev), &regs_ops, dev,
"pvrdma-regs", RDMA_BAR1_REGS_SIZE); "pvrdma-regs", sizeof(dev->regs_data));
pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY, pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
&dev->regs); &dev->regs);
/* BAR 2 - UAR */ /* BAR 2 - UAR */
memset(&dev->uar_data, 0, sizeof(dev->uar_data)); memset(&dev->uar_data, 0, sizeof(dev->uar_data));
memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar", memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar",
RDMA_BAR2_UAR_SIZE); sizeof(dev->uar_data));
pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY, pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
&dev->uar); &dev->uar);
} }