Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
This might be a bit late comment...
On Fri, Jul 22, 2011 at 11:05:01AM +0200, Jan Kiszka wrote:
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus
*bus, uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+assert(len = 4);
+pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t limit, uint32_t len)
+{
+assert(len = 4);
+return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit addr.
So we need explicit if (limit addr) return;.
Here's the patch for pci branch.
From 75c1a2b47c93ad987cd7a37fb62bda9a59f27948 Mon Sep 17 00:00:00 2001
Message-Id:
75c1a2b47c93ad987cd7a37fb62bda9a59f27948.1311837763.git.yamah...@valinux.co.jp
From: Isaku Yamahata yamah...@valinux.co.jp
Date: Thu, 28 Jul 2011 16:20:28 +0900
Subject: [PATCH] pci/host: limit check of pci_host_config_read/write_common
This patch adds boundary check in pci_host_config_read/write_common()
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit addr.
So we need explicit if (limit = addr) return;
Signed-off-by: Isaku Yamahata yamah...@valinux.co.jp
---
hw/pci_host.c |6 ++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 2e8a29f..71fd3a1 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -51,6 +51,9 @@ void pci_host_config_write_common(PCIDevice *pci_dev,
uint32_t addr,
uint32_t limit, uint32_t val, uint32_t len)
{
assert(len = 4);
+if (limit = addr) {
+return;
+}
pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
}
@@ -58,6 +61,9 @@ uint32_t pci_host_config_read_common(PCIDevice *pci_dev,
uint32_t addr,
uint32_t limit, uint32_t len)
{
assert(len = 4);
+if (limit = addr) {
+return 0;
+}
return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
}
--
1.7.1.1
--
yamahata
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
On Thu, Jul 28, 2011 at 04:23:24PM +0900, Isaku Yamahata wrote:
This might be a bit late comment...
On Fri, Jul 22, 2011 at 11:05:01AM +0200, Jan Kiszka wrote:
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus
*bus, uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+assert(len = 4);
+pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t limit, uint32_t len)
+{
+assert(len = 4);
+return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit
addr.
So we need explicit if (limit addr) return;.
Here's the patch for pci branch.
From 75c1a2b47c93ad987cd7a37fb62bda9a59f27948 Mon Sep 17 00:00:00 2001
Message-Id:
75c1a2b47c93ad987cd7a37fb62bda9a59f27948.1311837763.git.yamah...@valinux.co.jp
From: Isaku Yamahata yamah...@valinux.co.jp
Date: Thu, 28 Jul 2011 16:20:28 +0900
Subject: [PATCH] pci/host: limit check of pci_host_config_read/write_common
This patch adds boundary check in pci_host_config_read/write_common()
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit
addr.
So we need explicit if (limit = addr) return;
Signed-off-by: Isaku Yamahata yamah...@valinux.co.jp
I don't see a problem with this, but could you please clarify when does
this happen? I think this is only possible for a pci device
behind an express root. If so, this belongs in pcie_host.c
I'd also like this info to be recorded in the commit log.
---
hw/pci_host.c |6 ++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 2e8a29f..71fd3a1 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -51,6 +51,9 @@ void pci_host_config_write_common(PCIDevice *pci_dev,
uint32_t addr,
uint32_t limit, uint32_t val, uint32_t len)
{
assert(len = 4);
+if (limit = addr) {
+return;
+}
pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
}
@@ -58,6 +61,9 @@ uint32_t pci_host_config_read_common(PCIDevice *pci_dev,
uint32_t addr,
uint32_t limit, uint32_t len)
{
assert(len = 4);
+if (limit = addr) {
+return 0;
+}
return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
}
--
1.7.1.1
--
yamahata
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
On Thu, Jul 28, 2011 at 11:40:21AM +0300, Michael S. Tsirkin wrote:
On Thu, Jul 28, 2011 at 04:23:24PM +0900, Isaku Yamahata wrote:
This might be a bit late comment...
On Fri, Jul 22, 2011 at 11:05:01AM +0200, Jan Kiszka wrote:
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus
*bus, uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+assert(len = 4);
+pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t limit, uint32_t len)
+{
+assert(len = 4);
+return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit
addr.
So we need explicit if (limit addr) return;.
Here's the patch for pci branch.
From 75c1a2b47c93ad987cd7a37fb62bda9a59f27948 Mon Sep 17 00:00:00 2001
Message-Id:
75c1a2b47c93ad987cd7a37fb62bda9a59f27948.1311837763.git.yamah...@valinux.co.jp
From: Isaku Yamahata yamah...@valinux.co.jp
Date: Thu, 28 Jul 2011 16:20:28 +0900
Subject: [PATCH] pci/host: limit check of pci_host_config_read/write_common
This patch adds boundary check in pci_host_config_read/write_common()
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit
addr.
So we need explicit if (limit = addr) return;
Signed-off-by: Isaku Yamahata yamah...@valinux.co.jp
I don't see a problem with this, but could you please clarify when does
this happen? I think this is only possible for a pci device
behind an express root. If so, this belongs in pcie_host.c
Right. I'll move the check into pcie_host.c
--
yamahata
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
On Thu, Jul 28, 2011 at 11:40:21AM +0300, Michael S. Tsirkin wrote:
I don't see a problem with this, but could you please clarify when does
this happen? I think this is only possible for a pci device
behind an express root. If so, this belongs in pcie_host.c
I'd also like this info to be recorded in the commit log.
From 1dd598fd35d4e988dc51487829ed66208ca89021 Mon Sep 17 00:00:00 2001
Message-Id:
1dd598fd35d4e988dc51487829ed66208ca89021.1311901239.git.yamah...@valinux.co.jp
From: Isaku Yamahata yamah...@valinux.co.jp
Date: Fri, 29 Jul 2011 09:52:45 +0900
Subject: [PATCH] pcie_host: limit check of pcie_mmcfg_data_write/read
This patch adds the check where the offset in the configuration space
is in its configuration size.
MMCFG area allows access of pcie configuration space to be in
offset [0, 4K).
At the same time, conventional pci devices whose configuration space size
is 256 bytes can be behind pcie-to-pci bridge.
The access whose offset is [256, 4K) should have no effect
on the conventional pci device
Add the limit check and ignore such accesses.
Signed-off-by: Isaku Yamahata yamah...@valinux.co.jp
---
hw/pcie_host.c | 28 ++--
1 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index f0b3d13..f9fea3d 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -56,23 +56,39 @@ static void pcie_mmcfg_data_write(PCIBus *s,
uint32_t mmcfg_addr, uint32_t val, int len)
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
+uint32_t addr;
+uint32_t limit;
if (!pci_dev) {
return;
}
-pci_host_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
- pci_config_size(pci_dev), val, len);
+addr = PCIE_MMCFG_CONFOFFSET(mmcfg_addr);
+limit = pci_config_size(pci_dev);
+if (limit = addr) {
+/* conventional pci device can be behind pcie-to-pci bridge.
+ 256 = addr 4K has no effects. */
+return;
+}
+pci_host_config_write_common(pci_dev, addr, limit, val, len);
}
-static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
+static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t mmcfg_addr, int len)
{
-PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
+PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
+uint32_t addr;
+uint32_t limit;
if (!pci_dev) {
return ~0x0;
}
-return pci_host_config_read_common(pci_dev, PCIE_MMCFG_CONFOFFSET(addr),
- pci_config_size(pci_dev), len);
+addr = PCIE_MMCFG_CONFOFFSET(mmcfg_addr);
+limit = pci_config_size(pci_dev);
+if (limit = addr) {
+/* conventional pci device can be behind pcie-to-pci bridge.
+ 256 = addr 4K has no effects. */
+return ~0x0;
+}
+return pci_host_config_read_common(pci_dev, addr, limit, len);
}
static void pcie_mmcfg_data_writeb(void *opaque,
--
1.7.1.1
--
yamahata
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
On Fri, Jul 29, 2011 at 10:01:43AM +0900, Isaku Yamahata wrote: On Thu, Jul 28, 2011 at 11:40:21AM +0300, Michael S. Tsirkin wrote: I don't see a problem with this, but could you please clarify when does this happen? I think this is only possible for a pci device behind an express root. If so, this belongs in pcie_host.c I'd also like this info to be recorded in the commit log. From 1dd598fd35d4e988dc51487829ed66208ca89021 Mon Sep 17 00:00:00 2001 Message-Id: 1dd598fd35d4e988dc51487829ed66208ca89021.1311901239.git.yamah...@valinux.co.jp From: Isaku Yamahata yamah...@valinux.co.jp Date: Fri, 29 Jul 2011 09:52:45 +0900 Subject: [PATCH] pcie_host: limit check of pcie_mmcfg_data_write/read This patch adds the check where the offset in the configuration space is in its configuration size. MMCFG area allows access of pcie configuration space to be in offset [0, 4K). At the same time, conventional pci devices whose configuration space size is 256 bytes can be behind pcie-to-pci bridge. The access whose offset is [256, 4K) should have no effect on the conventional pci device Add the limit check and ignore such accesses. Signed-off-by: Isaku Yamahata yamah...@valinux.co.jp I tweaked the commit log and applied this. Thanks!
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
On Fri, Jul 22, 2011 at 11:05:01AM +0200, Jan Kiszka wrote:
Introduce pci_config_read/write_common helpers to prevent passing
accesses down the callback chain that go beyond the config space limits.
Adjust length assertions as they are no longer correct (cutting may
generate valid 3 byte accesses).
Signed-off-by: Jan Kiszka jan.kis...@siemens.com
---
hw/pci.c |6 ++
hw/pci_host.c | 24
hw/pci_host.h |6 ++
hw/pcie_host.c | 12 ++--
4 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/hw/pci.c b/hw/pci.c
index b904a4e..ef94739 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1108,8 +1108,7 @@ uint32_t pci_default_read_config(PCIDevice *d,
uint32_t address, int len)
{
uint32_t val = 0;
-assert(len == 1 || len == 2 || len == 4);
-len = MIN(len, pci_config_size(d) - address);
+
memcpy(val, d-config + address, len);
return le32_to_cpu(val);
}
@@ -1117,9 +1116,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int
l)
{
int i, was_irq_disabled = pci_irq_disabled(d);
-uint32_t config_size = pci_config_size(d);
-for (i = 0; i l addr + i config_size; val = 8, ++i) {
+for (i = 0; i l; val = 8, ++i) {
uint8_t wmask = d-wmask[addr + i];
uint8_t w1cmask = d-w1cmask[addr + i];
assert(!(wmask w1cmask));
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus
*bus, uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+assert(len = 4);
+pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t limit, uint32_t len)
+{
+assert(len = 4);
+return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
{
PCIDevice *pci_dev = pci_dev_find_by_addr(s, addr);
uint32_t config_addr = addr (PCI_CONFIG_SPACE_SIZE - 1);
-if (!pci_dev)
+if (!pci_dev) {
return;
+}
PCI_DPRINTF(%s: %s: addr=%02 PRIx32 val=%08 PRIx32 len=%d\n,
__func__, pci_dev-name, config_addr, val, len);
-pci_dev-config_write(pci_dev, config_addr, val, len);
+pci_config_write_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE, val,
+len);
}
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
@@ -66,12 +82,12 @@ uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
uint32_t config_addr = addr (PCI_CONFIG_SPACE_SIZE - 1);
uint32_t val;
-assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
return ~0x0;
}
-val = pci_dev-config_read(pci_dev, config_addr, len);
+val = pci_config_read_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE,
+ len);
PCI_DPRINTF(%s: %s: addr=%02PRIx32 val=%08PRIx32 len=%d\n,
__func__, pci_dev-name, config_addr, val, len);
diff --git a/hw/pci_host.h b/hw/pci_host.h
index 0a58595..e95db6c 100644
--- a/hw/pci_host.h
+++ b/hw/pci_host.h
@@ -39,6 +39,12 @@ struct PCIHostState {
PCIBus *bus;
};
+/* common internal helpers for PCI/PCIe hosts, cut off overflows */
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t addr_mask, uint32_t val, uint32_t len);
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t addr_mask, uint32_t len);
+
OK, except it's config_size, not addr_mask anymore.
I'd also prefer a name like pci_host_config_write_common/
pci_host_config_read_common but it's not a must.
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len);
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len);
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index b749865..699a53a 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -57,22 +57,22 @@ static void pcie_mmcfg_data_write(PCIBus *s,
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
-if (!pci_dev)
+if (!pci_dev) {
return;
-
-pci_dev-config_write(pci_dev,
- PCIE_MMCFG_CONFOFFSET(mmcfg_addr), val, len);
+}
+pci_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
+pci_config_size(pci_dev), val, len);
}
static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
Introduce pci_config_read/write_common helpers to prevent passing
accesses down the callback chain that go beyond the config space limits.
Adjust length assertions as they are no longer correct (cutting may
generate valid 3 byte accesses).
Signed-off-by: Jan Kiszka jan.kis...@siemens.com
I renamed to pci_host_config_read/write_common and applied this.
Thanks!
---
hw/pci.c |6 ++
hw/pci_host.c | 24
hw/pci_host.h |6 ++
hw/pcie_host.c | 12 ++--
4 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/hw/pci.c b/hw/pci.c
index b904a4e..ef94739 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1108,8 +1108,7 @@ uint32_t pci_default_read_config(PCIDevice *d,
uint32_t address, int len)
{
uint32_t val = 0;
-assert(len == 1 || len == 2 || len == 4);
-len = MIN(len, pci_config_size(d) - address);
+
memcpy(val, d-config + address, len);
return le32_to_cpu(val);
}
@@ -1117,9 +1116,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int
l)
{
int i, was_irq_disabled = pci_irq_disabled(d);
-uint32_t config_size = pci_config_size(d);
-for (i = 0; i l addr + i config_size; val = 8, ++i) {
+for (i = 0; i l; val = 8, ++i) {
uint8_t wmask = d-wmask[addr + i];
uint8_t w1cmask = d-w1cmask[addr + i];
assert(!(wmask w1cmask));
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus
*bus, uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+assert(len = 4);
+pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t limit, uint32_t len)
+{
+assert(len = 4);
+return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
{
PCIDevice *pci_dev = pci_dev_find_by_addr(s, addr);
uint32_t config_addr = addr (PCI_CONFIG_SPACE_SIZE - 1);
-if (!pci_dev)
+if (!pci_dev) {
return;
+}
PCI_DPRINTF(%s: %s: addr=%02 PRIx32 val=%08 PRIx32 len=%d\n,
__func__, pci_dev-name, config_addr, val, len);
-pci_dev-config_write(pci_dev, config_addr, val, len);
+pci_config_write_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE, val,
+len);
}
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
@@ -66,12 +82,12 @@ uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
uint32_t config_addr = addr (PCI_CONFIG_SPACE_SIZE - 1);
uint32_t val;
-assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
return ~0x0;
}
-val = pci_dev-config_read(pci_dev, config_addr, len);
+val = pci_config_read_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE,
+ len);
PCI_DPRINTF(%s: %s: addr=%02PRIx32 val=%08PRIx32 len=%d\n,
__func__, pci_dev-name, config_addr, val, len);
diff --git a/hw/pci_host.h b/hw/pci_host.h
index 0a58595..e95db6c 100644
--- a/hw/pci_host.h
+++ b/hw/pci_host.h
@@ -39,6 +39,12 @@ struct PCIHostState {
PCIBus *bus;
};
+/* common internal helpers for PCI/PCIe hosts, cut off overflows */
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t addr_mask, uint32_t val, uint32_t len);
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t addr_mask, uint32_t len);
+
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len);
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len);
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index b749865..699a53a 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -57,22 +57,22 @@ static void pcie_mmcfg_data_write(PCIBus *s,
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
-if (!pci_dev)
+if (!pci_dev) {
return;
-
-pci_dev-config_write(pci_dev,
- PCIE_MMCFG_CONFOFFSET(mmcfg_addr), val, len);
+}
+pci_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
+pci_config_size(pci_dev), val, len);
}
static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
-assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
On 2011-07-25 17:17, Michael S. Tsirkin wrote: Introduce pci_config_read/write_common helpers to prevent passing accesses down the callback chain that go beyond the config space limits. Adjust length assertions as they are no longer correct (cutting may generate valid 3 byte accesses). Signed-off-by: Jan Kiszka jan.kis...@siemens.com I renamed to pci_host_config_read/write_common and applied this. Thanks! Perfect, thanks for cleaning up! Jan -- Siemens AG, Corporate Technology, CT T DE IT 1 Corporate Competence Center Embedded Linux
[Qemu-devel] [PATCH v2] pci: Common overflow prevention
On 2011-07-22 07:32, Michael S. Tsirkin wrote:
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index b749865..ed6656b 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -57,22 +57,22 @@ static void pcie_mmcfg_data_write(PCIBus *s,
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
-if (!pci_dev)
+if (!pci_dev) {
return;
-
-pci_dev-config_write(pci_dev,
- PCIE_MMCFG_CONFOFFSET(mmcfg_addr), val, len);
+}
+pci_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
+PCIE_CONFIG_SPACE_SIZE, val, len);
}
static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
-assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
return ~0x0;
}
-return pci_dev-config_read(pci_dev, PCIE_MMCFG_CONFOFFSET(addr), len);
+return pci_config_read_common(pci_dev, PCIE_MMCFG_CONFOFFSET(addr),
+ PCIE_CONFIG_SPACE_SIZE, len);
Doesn't this one need to be pci_config_size(pci_dev)?
We can have pci devices on an express root complex
or behind an express to pci bridge.
Yep, right.
Thanks,
Jan
--8--
Introduce pci_config_read/write_common helpers to prevent passing
accesses down the callback chain that go beyond the config space limits.
Adjust length assertions as they are no longer correct (cutting may
generate valid 3 byte accesses).
Signed-off-by: Jan Kiszka jan.kis...@siemens.com
---
hw/pci.c |6 ++
hw/pci_host.c | 24
hw/pci_host.h |6 ++
hw/pcie_host.c | 12 ++--
4 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/hw/pci.c b/hw/pci.c
index b904a4e..ef94739 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1108,8 +1108,7 @@ uint32_t pci_default_read_config(PCIDevice *d,
uint32_t address, int len)
{
uint32_t val = 0;
-assert(len == 1 || len == 2 || len == 4);
-len = MIN(len, pci_config_size(d) - address);
+
memcpy(val, d-config + address, len);
return le32_to_cpu(val);
}
@@ -1117,9 +1116,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
{
int i, was_irq_disabled = pci_irq_disabled(d);
-uint32_t config_size = pci_config_size(d);
-for (i = 0; i l addr + i config_size; val = 8, ++i) {
+for (i = 0; i l; val = 8, ++i) {
uint8_t wmask = d-wmask[addr + i];
uint8_t w1cmask = d-w1cmask[addr + i];
assert(!(wmask w1cmask));
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus *bus,
uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+assert(len = 4);
+pci_dev-config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+uint32_t limit, uint32_t len)
+{
+assert(len = 4);
+return pci_dev-config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
{
PCIDevice *pci_dev = pci_dev_find_by_addr(s, addr);
uint32_t config_addr = addr (PCI_CONFIG_SPACE_SIZE - 1);
-if (!pci_dev)
+if (!pci_dev) {
return;
+}
PCI_DPRINTF(%s: %s: addr=%02 PRIx32 val=%08 PRIx32 len=%d\n,
__func__, pci_dev-name, config_addr, val, len);
-pci_dev-config_write(pci_dev, config_addr, val, len);
+pci_config_write_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE, val,
+len);
}
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
@@ -66,12 +82,12 @@ uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
uint32_t config_addr = addr (PCI_CONFIG_SPACE_SIZE - 1);
uint32_t val;
-assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
return ~0x0;
}
-val = pci_dev-config_read(pci_dev, config_addr, len);
+val = pci_config_read_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE,
+ len);
PCI_DPRINTF(%s: %s: addr=%02PRIx32 val=%08PRIx32 len=%d\n,
__func__, pci_dev-name, config_addr, val, len);
diff --git a/hw/pci_host.h b/hw/pci_host.h
index 0a58595..e95db6c 100644
--- a/hw/pci_host.h
+++ b/hw/pci_host.h
@@ -39,6 +39,12 @@ struct PCIHostState {
PCIBus *bus;
};
+/* common internal helpers for PCI/PCIe hosts, cut off overflows */
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t addr_mask, uint32_t
