diff mbox series

[v2,1/1] lib: utils/ipi: buffer overrun aclint_mswi_cold_init

Message ID 20230529092720.20294-1-heinrich.schuchardt@canonical.com
State Accepted
Headers show
Series [v2,1/1] lib: utils/ipi: buffer overrun aclint_mswi_cold_init | expand

Commit Message

Heinrich Schuchardt May 29, 2023, 9:27 a.m. UTC 
The parameter checks in aclint_mswi_cold_init() don't guard against a
buffer overrun.

mswi_hartid2data is defined as an array of SBI_HARTMASK_MAX_BITS entries.
The current check allows

    mswi->hart_count = ACLINT_MSWI_MAX_HARTS
    mswi->first_hartid = SBI_HARTMASK_MAX_BITS - 1.

With these values mswi_hartid2data will be accessed at index

    SBI_HARTMASK_MAX_BITS + SBI_HARTMASK_MAX_BITS - 2.

We have to check the sum of mswi->first_hartid and mswi->hart_count.

Furthermore mswi->hart_count = 0 would not make much sense.

Addresses-Coverity-ID: 1529705 ("Out-of-bounds write")
Fixes: 5a049fe1d6a5 ("lib: utils/ipi: Add ACLINT MSWI library")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---
v2:
	add missing 'Fixes:'
---
 lib/utils/ipi/aclint_mswi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Xiang W June 3, 2023, 3:59 p.m. UTC | #1 
在 2023-05-29星期一的 11:27 +0200,Heinrich Schuchardt写道:
> The parameter checks in aclint_mswi_cold_init() don't guard against a
> buffer overrun.
> 
> mswi_hartid2data is defined as an array of SBI_HARTMASK_MAX_BITS entries.
> The current check allows
> 
>     mswi->hart_count = ACLINT_MSWI_MAX_HARTS
>     mswi->first_hartid = SBI_HARTMASK_MAX_BITS - 1.
> 
> With these values mswi_hartid2data will be accessed at index
> 
>     SBI_HARTMASK_MAX_BITS + SBI_HARTMASK_MAX_BITS - 2.
> 
> We have to check the sum of mswi->first_hartid and mswi->hart_count.
> 
> Furthermore mswi->hart_count = 0 would not make much sense.
> 
> Addresses-Coverity-ID: 1529705 ("Out-of-bounds write")
> Fixes: 5a049fe1d6a5 ("lib: utils/ipi: Add ACLINT MSWI library")
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
LGTM

Reviewed-by: Xiang W <wxjstz@126.com>
> ---
> v2:
>         add missing 'Fixes:'
> ---
>  lib/utils/ipi/aclint_mswi.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/utils/ipi/aclint_mswi.c b/lib/utils/ipi/aclint_mswi.c
> index 6b004cb..ac8570b 100644
> --- a/lib/utils/ipi/aclint_mswi.c
> +++ b/lib/utils/ipi/aclint_mswi.c
> @@ -75,8 +75,8 @@ int aclint_mswi_cold_init(struct aclint_mswi_data *mswi)
>         /* Sanity checks */
>         if (!mswi || (mswi->addr & (ACLINT_MSWI_ALIGN - 1)) ||
>             (mswi->size < (mswi->hart_count * sizeof(u32))) ||
> -           (mswi->first_hartid >= SBI_HARTMASK_MAX_BITS) ||
> -           (mswi->hart_count > ACLINT_MSWI_MAX_HARTS))
> +           (mswi->first_hartid + mswi->hart_count > SBI_HARTMASK_MAX_BITS) ||
> +           (!mswi->hart_count || mswi->hart_count > ACLINT_MSWI_MAX_HARTS))
>                 return SBI_EINVAL;
>  
>         /* Update MSWI hartid table */
> -- 
> 2.39.2
> 
>
Anup Patel June 4, 2023, 9:44 a.m. UTC | #2 
On Mon, May 29, 2023 at 2:57 PM Heinrich Schuchardt
<heinrich.schuchardt@canonical.com> wrote:
>
> The parameter checks in aclint_mswi_cold_init() don't guard against a
> buffer overrun.
>
> mswi_hartid2data is defined as an array of SBI_HARTMASK_MAX_BITS entries.
> The current check allows
>
>     mswi->hart_count = ACLINT_MSWI_MAX_HARTS
>     mswi->first_hartid = SBI_HARTMASK_MAX_BITS - 1.
>
> With these values mswi_hartid2data will be accessed at index
>
>     SBI_HARTMASK_MAX_BITS + SBI_HARTMASK_MAX_BITS - 2.
>
> We have to check the sum of mswi->first_hartid and mswi->hart_count.
>
> Furthermore mswi->hart_count = 0 would not make much sense.
>
> Addresses-Coverity-ID: 1529705 ("Out-of-bounds write")
> Fixes: 5a049fe1d6a5 ("lib: utils/ipi: Add ACLINT MSWI library")
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

Looks good to me.

Reviewed-by: Anup Patel <anup@brainfault.org>

Applied this patch to the riscv/opensbi repo.

Thanks,
Anup

> ---
> v2:
>         add missing 'Fixes:'
> ---
>  lib/utils/ipi/aclint_mswi.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/lib/utils/ipi/aclint_mswi.c b/lib/utils/ipi/aclint_mswi.c
> index 6b004cb..ac8570b 100644
> --- a/lib/utils/ipi/aclint_mswi.c
> +++ b/lib/utils/ipi/aclint_mswi.c
> @@ -75,8 +75,8 @@ int aclint_mswi_cold_init(struct aclint_mswi_data *mswi)
>         /* Sanity checks */
>         if (!mswi || (mswi->addr & (ACLINT_MSWI_ALIGN - 1)) ||
>             (mswi->size < (mswi->hart_count * sizeof(u32))) ||
> -           (mswi->first_hartid >= SBI_HARTMASK_MAX_BITS) ||
> -           (mswi->hart_count > ACLINT_MSWI_MAX_HARTS))
> +           (mswi->first_hartid + mswi->hart_count > SBI_HARTMASK_MAX_BITS) ||
> +           (!mswi->hart_count || mswi->hart_count > ACLINT_MSWI_MAX_HARTS))
>                 return SBI_EINVAL;
>
>         /* Update MSWI hartid table */
> --
> 2.39.2
>
diff mbox series

Patch

diff --git a/lib/utils/ipi/aclint_mswi.c b/lib/utils/ipi/aclint_mswi.c
index 6b004cb..ac8570b 100644
--- a/lib/utils/ipi/aclint_mswi.c
+++ b/lib/utils/ipi/aclint_mswi.c
@@ -75,8 +75,8 @@  int aclint_mswi_cold_init(struct aclint_mswi_data *mswi)
 	/* Sanity checks */
 	if (!mswi || (mswi->addr & (ACLINT_MSWI_ALIGN - 1)) ||
 	    (mswi->size < (mswi->hart_count * sizeof(u32))) ||
-	    (mswi->first_hartid >= SBI_HARTMASK_MAX_BITS) ||
-	    (mswi->hart_count > ACLINT_MSWI_MAX_HARTS))
+	    (mswi->first_hartid + mswi->hart_count > SBI_HARTMASK_MAX_BITS) ||
+	    (!mswi->hart_count || mswi->hart_count > ACLINT_MSWI_MAX_HARTS))
 		return SBI_EINVAL;
 
 	/* Update MSWI hartid table */