From nobody Sun Dec 29 01:38:11 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1719110841; cv=none; d=zohomail.com; s=zohoarc; b=SxykoVbJ23z12pf12aOvcZA2Qwxrp8cq0eSMdA5BX98OJ3Us+pQKfmux+VnX2u9EF+89jHtk5WXXdVIilQtoZ0FlMrEkFfwGqQtf+ugCFZNDPBZJ77qeM3+EMCVOavENNvIB+tBAGzMyhemdweBf9mX1JsGKxtTzCSREKBm2+W4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1719110841; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=AZP/WdcdmHmYxpaWrBiM0FoLrhAiPW6xvRvl4Nh7Rf4=; b=X5SpIjqCHOCW3B9jhEXHN4koyD9SqE9ncwKiN3H4ykfbfVdX+ZKmXMaVRRpVETo7udEg22KQLuYfJcEiuRnG6SlrTcj6ME2hJLPBpZDFhThjfvuPQ/vHBZWdeS3lVcNWHkbA5FO4Jo7Bbkg9Dy6oUnYKiXM3wypBsmhQ+zMxvaY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1719110841622889.7427031629002; Sat, 22 Jun 2024 19:47:21 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sLDFJ-00083E-SC; Sat, 22 Jun 2024 22:46:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sLDFI-00082u-8V for qemu-devel@nongnu.org; Sat, 22 Jun 2024 22:46:24 -0400 Received: from mail-pl1-x630.google.com ([2607:f8b0:4864:20::630]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sLDFG-0000Is-Ie for qemu-devel@nongnu.org; Sat, 22 Jun 2024 22:46:24 -0400 Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1f4a5344ec7so21662265ad.1 for ; Sat, 22 Jun 2024 19:46:21 -0700 (PDT) Received: from localhost ([116.121.76.56]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1f9eb3c8b5dsm37627625ad.181.2024.06.22.19.46.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 22 Jun 2024 19:46:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719110780; x=1719715580; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AZP/WdcdmHmYxpaWrBiM0FoLrhAiPW6xvRvl4Nh7Rf4=; b=LvI/2ZtdnxXDBWABJPIdfUGJgZYa+W3dcJdt2loO3XzZ53IFSXkKHaKW+2mOPWVNql vk4EQnnWhk5VSDMZ09/cRWkiEeUAmmpbMpleSmMwIC8MuNkjsN1kHy2ZDiILd3w2Ma0P OR9IT+/iw4Wj4DDm9N8vWYL2pl0cCFtkK0QmKnGzllW1lXTk3LhlPJi+0vXYzAVliSuK IwhCPGppR3Z5EuxNgUHioPMElXWD4F+Kz/ESsOUvnpVa6vFcPDnmgb0gw6SbvC4KZz7t AJibiGkPREjVxc+PbXgdGAY/JWSyCiAza0vb1UKe14MVCpl2CjTTLmigkAgL2pm3bdWS vOtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719110780; x=1719715580; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AZP/WdcdmHmYxpaWrBiM0FoLrhAiPW6xvRvl4Nh7Rf4=; b=XfZh+6u0XEyCbxC/u50KHSlxK+WpS3GSq0NOuKKeX5YfMi31DK9xV4wW2PJ8/2YOSz be+fEpLL3LY5bbcTDoGgbsF+wSbFnN7CQcY7Wdd9ey/PaRZKT/EVUVZBwB1avIzFIYFN TJ/HWB8FzYAdwsmEZSdt9ZFnPG/FvoYsMiBEDc7CHeCp8/+T9Io9ul6fJixBHYN9wyKl q3MbdwnAicg8e5X8CNvldE59J7IAezgxn9MGNTWKJy1B0TEmMe+mYemSY7Mzv41mcjMP xaLdNfexTz2Q+LdMqkJBA5MqyT/gzJEqNY+M4/Cr0RsBtrWxsY9Td0Je4iDt4GUWD0FR vgeg== X-Gm-Message-State: AOJu0YxMkjXGtqRO7MlKl1GwgkRG7/9yI0iJ/PoopWXpNnkYdaQctqtu rtFOG2sXoCnFcCS+8XcnYgg0gSoT38FTc6zCUvZLM04RvyK2EdJO X-Google-Smtp-Source: AGHT+IEnb6drM7t/fSd9xsk1lX///NZUDSNw1TNNSFM9dfgKK7tzvXj1BUxs1Nkfi2ISQpVIkkupFQ== X-Received: by 2002:a17:902:e850:b0:1fa:2c79:7504 with SMTP id d9443c01a7336-1fa2c797598mr6322955ad.48.1719110780417; Sat, 22 Jun 2024 19:46:20 -0700 (PDT) From: Minwoo Im To: Jeuk Kim Cc: qemu-devel@nongnu.org, Minwoo Im , Minwoo Im , Jeuk Kim , Peter Maydell Subject: [PATCH] hw/ufs: Fix potential bugs in MMIO read|write Date: Sun, 23 Jun 2024 11:45:55 +0900 Message-Id: <20240623024555.78697-1-minwoo.im.dev@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::630; envelope-from=minwoo.im.dev@gmail.com; helo=mail-pl1-x630.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1719110842412100001 Content-Type: text/plain; charset="utf-8" This patch fixes two points reported in coverity scan report [1]. Check the MMIO access address with (addr + size), not just with the start offset addr to make sure that the requested memory access not to exceed the actual register region. We also updated (uint8_t *) to (uint32_t *) to represent we are accessing the MMIO registers by dword-sized only. [1] https://lore.kernel.org/qemu-devel/CAFEAcA82L-WZnHMW0X+Dr40bHM-EVq2ZH4D= G4pdqop4xxDP2Og@mail.gmail.com/ Cc: Jeuk Kim Reported-by: Peter Maydell Signed-off-by: Minwoo Im Reviewed-by: Jeuk Kim Reviewed-by: Peter Maydell --- hw/ufs/ufs.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 71a88d221ced..bf2ff02ac6e5 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -55,17 +55,18 @@ static inline uint64_t ufs_reg_size(UfsHc *u) return ufs_mcq_op_reg_addr(u, 0) + sizeof(u->mcq_op_reg); } =20 -static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr) +static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size) { uint64_t mcq_reg_addr =3D ufs_mcq_reg_addr(u, 0); - return addr >=3D mcq_reg_addr && addr < mcq_reg_addr + sizeof(u->mcq_r= eg); + return (addr >=3D mcq_reg_addr && + addr + size <=3D mcq_reg_addr + sizeof(u->mcq_reg)); } =20 -static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr) +static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned siz= e) { uint64_t mcq_op_reg_addr =3D ufs_mcq_op_reg_addr(u, 0); return (addr >=3D mcq_op_reg_addr && - addr < mcq_op_reg_addr + sizeof(u->mcq_op_reg)); + addr + size <=3D mcq_op_reg_addr + sizeof(u->mcq_op_reg)); } =20 static MemTxResult ufs_addr_read(UfsHc *u, hwaddr addr, void *buf, int siz= e) @@ -774,25 +775,25 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr off= set, uint32_t data, static uint64_t ufs_mmio_read(void *opaque, hwaddr addr, unsigned size) { UfsHc *u =3D (UfsHc *)opaque; - uint8_t *ptr; + uint32_t *ptr; uint64_t value; uint64_t offset; =20 - if (addr < sizeof(u->reg)) { + if (addr + size <=3D sizeof(u->reg)) { offset =3D addr; - ptr =3D (uint8_t *)&u->reg; - } else if (ufs_is_mcq_reg(u, addr)) { + ptr =3D (uint32_t *)&u->reg; + } else if (ufs_is_mcq_reg(u, addr, size)) { offset =3D addr - ufs_mcq_reg_addr(u, 0); - ptr =3D (uint8_t *)&u->mcq_reg; - } else if (ufs_is_mcq_op_reg(u, addr)) { + ptr =3D (uint32_t *)&u->mcq_reg; + } else if (ufs_is_mcq_op_reg(u, addr, size)) { offset =3D addr - ufs_mcq_op_reg_addr(u, 0); - ptr =3D (uint8_t *)&u->mcq_op_reg; + ptr =3D (uint32_t *)&u->mcq_op_reg; } else { trace_ufs_err_invalid_register_offset(addr); return 0; } =20 - value =3D *(uint32_t *)(ptr + offset); + value =3D ptr[offset >> 2]; trace_ufs_mmio_read(addr, value, size); return value; } @@ -804,11 +805,11 @@ static void ufs_mmio_write(void *opaque, hwaddr addr,= uint64_t data, =20 trace_ufs_mmio_write(addr, data, size); =20 - if (addr < sizeof(u->reg)) { + if (addr + size <=3D sizeof(u->reg)) { ufs_write_reg(u, addr, data, size); - } else if (ufs_is_mcq_reg(u, addr)) { + } else if (ufs_is_mcq_reg(u, addr, size)) { ufs_write_mcq_reg(u, addr - ufs_mcq_reg_addr(u, 0), data, size); - } else if (ufs_is_mcq_op_reg(u, addr)) { + } else if (ufs_is_mcq_op_reg(u, addr, size)) { ufs_write_mcq_op_reg(u, addr - ufs_mcq_op_reg_addr(u, 0), data, si= ze); } else { trace_ufs_err_invalid_register_offset(addr); --=20 2.34.1