[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 4/8] hw/rdma: Fix possible out of bounds access to GI
From: |
Marcel Apfelbaum |
Subject: |
[Qemu-devel] [PULL 4/8] hw/rdma: Fix possible out of bounds access to GID table |
Date: |
Thu, 3 May 2018 21:21:21 +0300 |
From: Yuval Shaia <address@hidden>
Array size is MAX_PORT_GIDS, let's make sure the given index is in
range.
While there limit device table size to 1.
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Yuval Shaia <address@hidden>
Reviewed-by: Marcel Apfelbaum <address@hidden>
Message-Id: <address@hidden>
---
hw/rdma/rdma_rm_defs.h | 2 +-
hw/rdma/vmw/pvrdma_cmd.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index 45503f14e0..4d22a20e4c 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -20,9 +20,9 @@
#define MAX_PORTS 1
#define MAX_PORT_GIDS 1
+#define MAX_GIDS MAX_PORT_GIDS
#define MAX_PORT_PKEYS 1
#define MAX_PKEYS MAX_PORT_PKEYS
-#define MAX_GIDS 2048
#define MAX_UCS 512
#define MAX_MR_SIZE (1UL << 27)
#define MAX_QP 1024
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f9dd78cb27..14255d609f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd_req
*req,
pr_dbg("index=%d\n", cmd->index);
- if (cmd->index > MAX_PORT_GIDS) {
+ if (cmd->index >= MAX_PORT_GIDS) {
return -EINVAL;
}
@@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union
pvrdma_cmd_req *req,
{
struct pvrdma_cmd_destroy_bind *cmd = &req->destroy_bind;
- pr_dbg("clear index %d\n", cmd->index);
+ pr_dbg("index=%d\n", cmd->index);
+
+ if (cmd->index >= MAX_PORT_GIDS) {
+ return -EINVAL;
+ }
memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0,
sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw));
--
2.14.3
- [Qemu-devel] [PULL 0/8] RDMA queue, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 3/8] hw/rdma: Delete port's pkey table, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 1/8] hw/rdma: Fix possible munmap call on a NULL pointer, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 2/8] hw/rdma: Fix possible usage of a NULL pointer, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 4/8] hw/rdma: Fix possible out of bounds access to GID table,
Marcel Apfelbaum <=
- [Qemu-devel] [PULL 5/8] hw/rdma: Fix possible out of bounds access to regs array, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 6/8] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 8/8] MAINTAINERS: update Marcel Apfelbaum email, Marcel Apfelbaum, 2018/05/03
- [Qemu-devel] [PULL 7/8] hw/rdma: Fix possible out of bounds access to port GID index, Marcel Apfelbaum, 2018/05/03
- Re: [Qemu-devel] [PULL 0/8] RDMA queue, Peter Maydell, 2018/05/04