Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

devicemodel: hw: pci: gvt: Fix out of bounds error #8118

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

devicemodel: hw: pci: gvt: Fix out of bounds error #8118

wants to merge 1 commit into from

Conversation

ghost
Copy link

@ghost ghost commented Sep 7, 2022 

hw/pci/gvt.c:263:41: error: array subscript 257 is above array bounds of ‘uint8_t[256]’ {aka ‘unsigned char[256]’} [-Werror=array-bounds]
  263 |                         gvt->host_config[cap_ptr + 4]);
      |                         ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
hw/pci/gvt.c:48:17: note: while referencing ‘host_config’
   48 |         uint8_t host_config[PCI_REGMAX+1];
      |                 ^~~~~~~~~~~

With the additional condition cap_ptr < PCI_REGMAX - 16 it is ensured that we never read config data from places we shouldn't read from.

12 (offset) + 4 (pci_set_cfgdata32) = 16

I would consider this a workaround that gets the job done for now. However with this approach we can miss the last capabilities in some edge cases.

Tracked-On: #8116

Signed-off-by: Marius Rodi [email protected]

@mariusrodi
devicemodel: hw: pci: gvt: Fix out of bounds error
2f595f0 
hw/pci/gvt.c:263:41: error: array subscript 257 is above array bounds of ‘uint8_t[256]’ {aka ‘unsigned char[256]’} [-Werror=array-bounds]
  263 |                         gvt->host_config[cap_ptr + 4]);
      |                         ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
hw/pci/gvt.c:48:17: note: while referencing ‘host_config’
   48 |         uint8_t host_config[PCI_REGMAX+1];
      |                 ^~~~~~~~~~~

With the additional condition cap_ptr < PCI_REGMAX - 16 it is ensured
that we never read config data from places we shouldn't read from.

12 (offset) + 4 (pci_set_cfgdata32) = 16

I would consider this a workaround that gets the job done for
now. However with this approach we can miss the last capabilities in
some edge cases.

Tracked-On: projectacrn#8116

Signed-off-by: Marius Rodi <[email protected]>
@ghost ghost requested a review from ywan170 as a code owner September 7, 2022 07:25
@acrnsi-robot
Copy link
Contributor

Can one of the admins verify this patch?

@ghost
Copy link
Author

ghost commented Sep 7, 2022

As stated, this fix is more of a workaround. I don't have the time to do this the right way currently. Maybe someone else can have a deeper look into this?

@acrnsi-robot
Copy link
Contributor

start to run premerge test

@szhen11
Copy link
Contributor

szhen11 commented Sep 22, 2022

@ywan170 could you please review this PR?

ywan170
ywan170 reviewed Sep 22, 2022
View reviewed changes
devicemodel/hw/pci/gvt.c

12 (offset) + 4 (pci_set_cfgdata32) = 16
*/
while (cap_ptr != 0 && cap_ptr < PCI_REGMAX - 16) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we change the pci_set_cfgdata32 to pci_set_cfgdata8. And if the cap_ptr != 0 but exceeds the "PCI_REGMAX - 16" then print some warning logs as some capabilities are lost.

@yakuizhao to comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CI: code conflict
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@acrnsi-robot @szhen11 @ywan170 @wenlingz @mariusrodi