random-mirrors/smaeul-u-boot
1
0
Fork 0
mirror of https://github.com/smaeul/u-boot.git synced 2025-10-14 12:56:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

virtio: pci: Check virtio common config size

Browse Source 
Check that the common config is at least as large as the struct it is
expected to contain. Only then is it safe to cast the pointer and be
safe from out-of-bounds accesses.

Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
This commit is contained in:
Andrew Scull 2022-04-21 16:11:03 +00:00 committed by Tom Rini
parent c690f64f4c
commit f2c1ef1b6d
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/virtio/virtio_pci_modern.c
View File

@ -480,6 +480,7 @@ static int virtio_pci_probe(struct udevice *udev)
u16 subvendor; u16 subvendor;
u8 revision; u8 revision;
int common, notify, device; int common, notify, device;
u32 common_length;
int offset; int offset;
/* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */ /* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */
@ -501,6 +502,13 @@ static int virtio_pci_probe(struct udevice *udev)
return -ENODEV; return -ENODEV;
} }
offset = common + offsetof(struct virtio_pci_cap, length);
dm_pci_read_config32(udev, offset, &common_length);
if (common_length < sizeof(struct virtio_pci_common_cfg)) {
printf("(%s): virtio common config too small\n", udev->name);
return -EINVAL;
}
/* If common is there, notify should be too */ /* If common is there, notify should be too */
notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG); notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG);
if (!notify) { if (!notify) {