pci: Add checks to prevent config space overflow

Message ID	20220703104806.27192-1-pali@kernel.org
State	Accepted
Commit	d9f554b62440de542c482fecf9374e8da3ea3602
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org> To: Stefan Roese <sr@denx.de>, Bin Meng <bmeng.cn@gmail.com>, Simon Glass <sjg@chromium.org> Cc: u-boot@lists.denx.de Subject: [PATCH] pci: Add checks to prevent config space overflow Date: Sun, 3 Jul 2022 12:48:06 +0200 Message-Id: <20220703104806.27192-1-pali@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	pci: Add checks to prevent config space overflow \| expand pci: Add checks to prevent config space overflow

Message ID

20220703104806.27192-1-pali@kernel.org

State

Accepted

Commit

d9f554b62440de542c482fecf9374e8da3ea3602

Delegated to:

Tom Rini

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256
 header.s=k20201202 header.b=mtAdBcKu;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LbQf724jTz9s2R
	for <incoming@patchwork.ozlabs.org>; Sun,  3 Jul 2022 20:48:45 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 549F48443D;
	Sun,  3 Jul 2022 12:48:33 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=kernel.org header.i=@kernel.org header.b="mtAdBcKu";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id AB12C8428F; Sun,  3 Jul 2022 12:48:31 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,
 SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
 version=3.4.2
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 2DB0F8443D
 for <u-boot@lists.denx.de>; Sun,  3 Jul 2022 12:48:28 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=pali@kernel.org
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ams.source.kernel.org (Postfix) with ESMTPS id A445EB80092;
 Sun,  3 Jul 2022 10:48:27 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E1D8C341C6;
 Sun,  3 Jul 2022 10:48:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1656845306;
 bh=xgnWDfNZ5AsgNRYeNtbz9/Gzoy/BHWpJuPuhUJ22OWw=;
 h=From:To:Cc:Subject:Date:From;
 b=mtAdBcKu+SSCew43UKf6CfqnukpmlmTBHIG83sBU1w03m7xgYLVmqwtO/7UVbE2/G
 IRDTcllYUvxcpskQwELUreJmu8p/wCun3Q9N5J5X+dGHPLhm0UUDMpsScPlX4n9WyW
 yLBV0na+rf0+6dLaDKjo44jAZGvMr7ki6m9AUGFLDls0/964s4uXcHd098qAVxQK6e
 EEHHLCXDrxghYUze6wTmIqtc2vfGcikt1xZMiEMDrulvjA3GO7JBK8thssJoA1z/Yn
 D3hzWstB7ywI/OFzJJuLj2W41zSK9QbNdFyWm1OPY9xv6wqc3/EUJ+bEXc2Snthf4l
 zS/cveMxfdgbA==
Received: by pali.im (Postfix)
 id C054411B0; Sun,  3 Jul 2022 12:48:23 +0200 (CEST)
From: =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>
To: Stefan Roese <sr@denx.de>, Bin Meng <bmeng.cn@gmail.com>,
 Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de
Subject: [PATCH] pci: Add checks to prevent config space overflow
Date: Sun,  3 Jul 2022 12:48:06 +0200
Message-Id: <20220703104806.27192-1-pali@kernel.org>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Series

pci: Add checks to prevent config space overflow | expand

Commit Message

Pali Rohár July 3, 2022, 10:48 a.m. UTC

PCIe config space has address range 0-4095. So do not allow reading from
addresses outside of this range. Lot of U-Boot drivers do not expect that
passed value is not in this range. PCI DM read function is exetended to
fill read value to all ones or zeros when it fails as U-Boot callers
ignores return value.

Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing
config space at the end (before 0x1000 address).

Signed-off-by: Pali Rohár <pali@kernel.org>
---
 cmd/pci.c                | 16 ++++++++++++++--
 drivers/pci/pci-uclass.c | 10 +++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

Comments

Stefan Roese July 4, 2022, 6 a.m. UTC | #1

On 03.07.22 12:48, Pali Rohár wrote:
> PCIe config space has address range 0-4095. So do not allow reading from
> addresses outside of this range. Lot of U-Boot drivers do not expect that
> passed value is not in this range. PCI DM read function is exetended to

s/exetended/extended

> fill read value to all ones or zeros when it fails as U-Boot callers
> ignores return value.
> 
> Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing
> config space at the end (before 0x1000 address).
> 
> Signed-off-by: Pali Rohár <pali@kernel.org>
> ---
>   cmd/pci.c                | 16 ++++++++++++++--
>   drivers/pci/pci-uclass.c | 10 +++++++++-
>   2 files changed, 23 insertions(+), 3 deletions(-)
> 
> diff --git a/cmd/pci.c b/cmd/pci.c
> index a99e8f8ad6e0..6258699fec81 100644
> --- a/cmd/pci.c
> +++ b/cmd/pci.c
> @@ -358,6 +358,9 @@ static int pci_cfg_display(struct udevice *dev, ulong addr,
>   	if (length == 0)
>   		length = 0x40 / byte_size; /* Standard PCI config space */
>   
> +	if (addr >= 4096)
> +		return 1;
> +
>   	/* Print the lines.
>   	 * once, and all accesses are with the specified bus width.
>   	 */
> @@ -378,7 +381,10 @@ static int pci_cfg_display(struct udevice *dev, ulong addr,
>   			rc = 1;
>   			break;
>   		}
> -	} while (nbytes > 0);
> +	} while (nbytes > 0 && addr < 4096);
> +
> +	if (rc == 0 && nbytes > 0)
> +		return 1;
>   
>   	return (rc);
>   }
> @@ -390,6 +396,9 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
>   	int	nbytes;
>   	ulong val;
>   
> +	if (addr >= 4096)
> +		return 1;
> +
>   	/* Print the address, followed by value.  Then accept input for
>   	 * the next value.  A non-converted value exits.
>   	 */
> @@ -427,7 +436,10 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
>   					addr += size;
>   			}
>   		}
> -	} while (nbytes);
> +	} while (nbytes && addr < 4096);
> +
> +	if (nbytes)
> +		return 1;
>   
>   	return 0;
>   }
> diff --git a/drivers/pci/pci-uclass.c b/drivers/pci/pci-uclass.c
> index 89245a271e16..7402079471c8 100644
> --- a/drivers/pci/pci-uclass.c
> +++ b/drivers/pci/pci-uclass.c
> @@ -288,6 +288,8 @@ int pci_bus_write_config(struct udevice *bus, pci_dev_t bdf, int offset,
>   	ops = pci_get_ops(bus);
>   	if (!ops->write_config)
>   		return -ENOSYS;
> +	if (offset < 0 || offset >= 4096)
> +		return -EINVAL;
>   	return ops->write_config(bus, bdf, offset, value, size);
>   }
>   
> @@ -366,8 +368,14 @@ int pci_bus_read_config(const struct udevice *bus, pci_dev_t bdf, int offset,
>   	struct dm_pci_ops *ops;
>   
>   	ops = pci_get_ops(bus);
> -	if (!ops->read_config)
> +	if (!ops->read_config) {
> +		*valuep = pci_conv_32_to_size(~0, offset, size);
>   		return -ENOSYS;
> +	}
> +	if (offset < 0 || offset >= 4096) {
> +		*valuep = pci_conv_32_to_size(0, offset, size);
> +		return -EINVAL;
> +	}

How about introducing a macro for this 4096 max value instead?

Other than this:

Reviewed-by: Stefan Roese <sr@denx.de>

Thanks,
Stefan

Pali Rohár Aug. 17, 2022, 9:09 p.m. UTC | #2

On Monday 04 July 2022 08:00:23 Stefan Roese wrote:
> On 03.07.22 12:48, Pali Rohár wrote:
> > PCIe config space has address range 0-4095. So do not allow reading from
> > addresses outside of this range. Lot of U-Boot drivers do not expect that
> > passed value is not in this range. PCI DM read function is exetended to
> 
> s/exetended/extended

Should I send a new patch version?

> > fill read value to all ones or zeros when it fails as U-Boot callers
> > ignores return value.
> > 
> > Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing
> > config space at the end (before 0x1000 address).
> > 
> > Signed-off-by: Pali Rohár <pali@kernel.org>
> > ---
> >   cmd/pci.c                | 16 ++++++++++++++--
> >   drivers/pci/pci-uclass.c | 10 +++++++++-
> >   2 files changed, 23 insertions(+), 3 deletions(-)
> > 
> > diff --git a/cmd/pci.c b/cmd/pci.c
> > index a99e8f8ad6e0..6258699fec81 100644
> > --- a/cmd/pci.c
> > +++ b/cmd/pci.c
> > @@ -358,6 +358,9 @@ static int pci_cfg_display(struct udevice *dev, ulong addr,
> >   	if (length == 0)
> >   		length = 0x40 / byte_size; /* Standard PCI config space */
> > +	if (addr >= 4096)
> > +		return 1;
> > +
> >   	/* Print the lines.
> >   	 * once, and all accesses are with the specified bus width.
> >   	 */
> > @@ -378,7 +381,10 @@ static int pci_cfg_display(struct udevice *dev, ulong addr,
> >   			rc = 1;
> >   			break;
> >   		}
> > -	} while (nbytes > 0);
> > +	} while (nbytes > 0 && addr < 4096);
> > +
> > +	if (rc == 0 && nbytes > 0)
> > +		return 1;
> >   	return (rc);
> >   }
> > @@ -390,6 +396,9 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
> >   	int	nbytes;
> >   	ulong val;
> > +	if (addr >= 4096)
> > +		return 1;
> > +
> >   	/* Print the address, followed by value.  Then accept input for
> >   	 * the next value.  A non-converted value exits.
> >   	 */
> > @@ -427,7 +436,10 @@ static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
> >   					addr += size;
> >   			}
> >   		}
> > -	} while (nbytes);
> > +	} while (nbytes && addr < 4096);
> > +
> > +	if (nbytes)
> > +		return 1;
> >   	return 0;
> >   }
> > diff --git a/drivers/pci/pci-uclass.c b/drivers/pci/pci-uclass.c
> > index 89245a271e16..7402079471c8 100644
> > --- a/drivers/pci/pci-uclass.c
> > +++ b/drivers/pci/pci-uclass.c
> > @@ -288,6 +288,8 @@ int pci_bus_write_config(struct udevice *bus, pci_dev_t bdf, int offset,
> >   	ops = pci_get_ops(bus);
> >   	if (!ops->write_config)
> >   		return -ENOSYS;
> > +	if (offset < 0 || offset >= 4096)
> > +		return -EINVAL;
> >   	return ops->write_config(bus, bdf, offset, value, size);
> >   }
> > @@ -366,8 +368,14 @@ int pci_bus_read_config(const struct udevice *bus, pci_dev_t bdf, int offset,
> >   	struct dm_pci_ops *ops;
> >   	ops = pci_get_ops(bus);
> > -	if (!ops->read_config)
> > +	if (!ops->read_config) {
> > +		*valuep = pci_conv_32_to_size(~0, offset, size);
> >   		return -ENOSYS;
> > +	}
> > +	if (offset < 0 || offset >= 4096) {
> > +		*valuep = pci_conv_32_to_size(0, offset, size);
> > +		return -EINVAL;
> > +	}
> 
> How about introducing a macro for this 4096 max value instead?
> 
> Other than this:
> 
> Reviewed-by: Stefan Roese <sr@denx.de>
> 
> Thanks,
> Stefan

Tom Rini Aug. 27, 2022, 12:06 p.m. UTC | #3

On Sun, Jul 03, 2022 at 12:48:06PM +0200, Pali Rohár wrote:

> PCIe config space has address range 0-4095. So do not allow reading from
> addresses outside of this range. Lot of U-Boot drivers do not expect that
> passed value is not in this range. PCI DM read function is extended to
> fill read value to all ones or zeros when it fails as U-Boot callers
> ignores return value.
> 
> Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing
> config space at the end (before 0x1000 address).
> 
> Signed-off-by: Pali Rohár <pali@kernel.org>
> Reviewed-by: Stefan Roese <sr@denx.de>

Applied to u-boot/master, thanks!

diff --git a/cmd/pci.c b/cmd/pci.c
index a99e8f8ad6e0..6258699fec81 100644
--- a/cmd/pci.c
+++ b/cmd/pci.c
@@ -358,6 +358,9 @@  static int pci_cfg_display(struct udevice *dev, ulong addr,
 	if (length == 0)
 		length = 0x40 / byte_size; /* Standard PCI config space */
 
+	if (addr >= 4096)
+		return 1;
+
 	/* Print the lines.
 	 * once, and all accesses are with the specified bus width.
 	 */
@@ -378,7 +381,10 @@  static int pci_cfg_display(struct udevice *dev, ulong addr,
 			rc = 1;
 			break;
 		}
-	} while (nbytes > 0);
+	} while (nbytes > 0 && addr < 4096);
+
+	if (rc == 0 && nbytes > 0)
+		return 1;
 
 	return (rc);
 }
@@ -390,6 +396,9 @@  static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
 	int	nbytes;
 	ulong val;
 
+	if (addr >= 4096)
+		return 1;
+
 	/* Print the address, followed by value.  Then accept input for
 	 * the next value.  A non-converted value exits.
 	 */
@@ -427,7 +436,10 @@  static int pci_cfg_modify(struct udevice *dev, ulong addr, ulong size,
 					addr += size;
 			}
 		}
-	} while (nbytes);
+	} while (nbytes && addr < 4096);
+
+	if (nbytes)
+		return 1;
 
 	return 0;
 }
diff --git a/drivers/pci/pci-uclass.c b/drivers/pci/pci-uclass.c
index 89245a271e16..7402079471c8 100644
--- a/drivers/pci/pci-uclass.c
+++ b/drivers/pci/pci-uclass.c
@@ -288,6 +288,8 @@  int pci_bus_write_config(struct udevice *bus, pci_dev_t bdf, int offset,
 	ops = pci_get_ops(bus);
 	if (!ops->write_config)
 		return -ENOSYS;
+	if (offset < 0 || offset >= 4096)
+		return -EINVAL;
 	return ops->write_config(bus, bdf, offset, value, size);
 }
 
@@ -366,8 +368,14 @@  int pci_bus_read_config(const struct udevice *bus, pci_dev_t bdf, int offset,
 	struct dm_pci_ops *ops;
 
 	ops = pci_get_ops(bus);
-	if (!ops->read_config)
+	if (!ops->read_config) {
+		*valuep = pci_conv_32_to_size(~0, offset, size);
 		return -ENOSYS;
+	}
+	if (offset < 0 || offset >= 4096) {
+		*valuep = pci_conv_32_to_size(0, offset, size);
+		return -EINVAL;
+	}
 	return ops->read_config(bus, bdf, offset, valuep, size);
 }

pci: Add checks to prevent config space overflow

Commit Message

Comments

Patch