[PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun

Message ID	20220330235723.68033-1-philippe.mathieu.daude@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philippe.mathieu.daude@gmail.com> To: qemu-devel@nongnu.org Subject: [PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun Date: Thu, 31 Mar 2022 01:57:23 +0200 Message-Id: <20220330235723.68033-1-philippe.mathieu.daude@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::330; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x330.google.com X-Spam_score_int: 23 X-Spam_score: 2.3 X-Spam_bar: ++ X-Spam_report: (2.3 / 5.0 requ) AC_FROM_MANY_DOTS=2.996, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>, Stefan Berger <stefanb@linux.vnet.ibm.com> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	[PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun \| expand [PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun

Message ID

20220330235723.68033-1-philippe.mathieu.daude@gmail.com (mailing list archive)

State

New, archived

Headers

From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
To: qemu-devel@nongnu.org
Subject: [PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun
Date: Thu, 31 Mar 2022 01:57:23 +0200
Message-Id: <20220330235723.68033-1-philippe.mathieu.daude@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::330;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x330.google.com
X-Spam_score_int: 23
X-Spam_score: 2.3
X-Spam_bar: ++
X-Spam_report: (2.3 / 5.0 requ) AC_FROM_MANY_DOTS=2.996, BAYES_00=-1.9,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001,
 RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
 Stefan Berger <stefanb@linux.vnet.ibm.com>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

[PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun | expand

Commit Message

Philippe Mathieu-Daudé March 30, 2022, 11:57 p.m. UTC

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The TPMState structure hold an array of TPM_TIS_NUM_LOCALITIES
TPMLocality loc[], having TPM_TIS_NUM_LOCALITIES defined as '5'.

tpm_tis_locality_from_addr() returns up to 3 bits, so 7.

While unlikely, Coverity is right to report an overrun. Assert
we are in range to fix:

  *** CID 1487240:  Memory - illegal accesses  (OVERRUN)
  hw/tpm/tpm_tis_common.c: 298 in tpm_tis_dump_state()
  294         int idx;
  295         uint8_t locty = tpm_tis_locality_from_addr(addr);
  296         hwaddr base = addr & ~0xfff;
  297
  >>>     CID 1487240:  Memory - illegal accesses  (OVERRUN)
  >>>     Overrunning array "s->loc" of 5 24-byte elements at element index 7 (byte offset 191) using index "locty" (which evaluates to 7).
  298         printf("tpm_tis: active locality      : %d\n"
  299                "tpm_tis: state of locality %d : %d\n"
  300                "tpm_tis: register dump:\n",
  301                s->active_locty,
  302                locty, s->loc[locty].state);

Fixes: Coverity CID 1487240
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/tpm/tpm_tis_common.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Marc-André Lureau March 31, 2022, 7:50 a.m. UTC | #1

Hi

On Thu, Mar 31, 2022 at 4:02 AM Philippe Mathieu-Daudé <
philippe.mathieu.daude@gmail.com> wrote:

> From: Philippe Mathieu-Daudé <f4bug@amsat.org>
>
> The TPMState structure hold an array of TPM_TIS_NUM_LOCALITIES
> TPMLocality loc[], having TPM_TIS_NUM_LOCALITIES defined as '5'.
>
> tpm_tis_locality_from_addr() returns up to 3 bits, so 7.
>
> While unlikely, Coverity is right to report an overrun. Assert
> we are in range to fix:
>
>   *** CID 1487240:  Memory - illegal accesses  (OVERRUN)
>   hw/tpm/tpm_tis_common.c: 298 in tpm_tis_dump_state()
>   294         int idx;
>   295         uint8_t locty = tpm_tis_locality_from_addr(addr);
>   296         hwaddr base = addr & ~0xfff;
>   297
>   >>>     CID 1487240:  Memory - illegal accesses  (OVERRUN)
>   >>>     Overrunning array "s->loc" of 5 24-byte elements at element
> index 7 (byte offset 191) using index "locty" (which evaluates to 7).
>   298         printf("tpm_tis: active locality      : %d\n"
>   299                "tpm_tis: state of locality %d : %d\n"
>   300                "tpm_tis: register dump:\n",
>   301                s->active_locty,
>   302                locty, s->loc[locty].state);
>
> Fixes: Coverity CID 1487240
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>

Maybe that assert should be in tpm_tis_locality_from_addr(), as various
callers could produce the same report.


---
>  hw/tpm/tpm_tis_common.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
> index e700d82181..5b1055033e 100644
> --- a/hw/tpm/tpm_tis_common.c
> +++ b/hw/tpm/tpm_tis_common.c
> @@ -295,6 +295,7 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr
> addr)
>      uint8_t locty = tpm_tis_locality_from_addr(addr);
>      hwaddr base = addr & ~0xfff;
>
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
>      printf("tpm_tis: active locality      : %d\n"
>             "tpm_tis: state of locality %d : %d\n"
>             "tpm_tis: register dump:\n",
> --
> 2.35.1
>
>
>

Philippe Mathieu-Daudé March 31, 2022, 10:42 a.m. UTC | #2

On 31/3/22 09:50, Marc-André Lureau wrote:
> Hi
> 
> On Thu, Mar 31, 2022 at 4:02 AM Philippe Mathieu-Daudé 
> <philippe.mathieu.daude@gmail.com 
> <mailto:philippe.mathieu.daude@gmail.com>> wrote:
> 
>     From: Philippe Mathieu-Daudé <f4bug@amsat.org <mailto:f4bug@amsat.org>>
> 
>     The TPMState structure hold an array of TPM_TIS_NUM_LOCALITIES
>     TPMLocality loc[], having TPM_TIS_NUM_LOCALITIES defined as '5'.
> 
>     tpm_tis_locality_from_addr() returns up to 3 bits, so 7.
> 
>     While unlikely, Coverity is right to report an overrun. Assert
>     we are in range to fix:
> 
>        *** CID 1487240:  Memory - illegal accesses  (OVERRUN)
>        hw/tpm/tpm_tis_common.c: 298 in tpm_tis_dump_state()
>        294         int idx;
>        295         uint8_t locty = tpm_tis_locality_from_addr(addr);
>        296         hwaddr base = addr & ~0xfff;
>        297
>        >>>     CID 1487240:  Memory - illegal accesses  (OVERRUN)
>        >>>     Overrunning array "s->loc" of 5 24-byte elements at
>     element index 7 (byte offset 191) using index "locty" (which
>     evaluates to 7).
>        298         printf("tpm_tis: active locality      : %d\n"
>        299                "tpm_tis: state of locality %d : %d\n"
>        300                "tpm_tis: register dump:\n",
>        301                s->active_locty,
>        302                locty, s->loc[locty].state);
> 
>     Fixes: Coverity CID 1487240
>     Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org
>     <mailto:f4bug@amsat.org>>
> 
> 
> Maybe that assert should be in tpm_tis_locality_from_addr(), as various 
> callers could produce the same report.

OK I see, tpm_tis_memory_ops handlers are safe because mapped as:

     memory_region_init_io(&s->mmio, obj, &tpm_tis_memory_ops,
                           s, "tpm-tis-mmio",
                           TPM_TIS_NUM_LOCALITIES <<
                           TPM_TIS_LOCALITY_SHIFT);

So invalid addresses are impossible from guest.

diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index e700d82181..5b1055033e 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -295,6 +295,7 @@  static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
     uint8_t locty = tpm_tis_locality_from_addr(addr);
     hwaddr base = addr & ~0xfff;
 
+    assert(TPM_TIS_IS_VALID_LOCTY(locty));
     printf("tpm_tis: active locality      : %d\n"
            "tpm_tis: state of locality %d : %d\n"
            "tpm_tis: register dump:\n",

[PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun

Commit Message

Comments

Patch