[PATCH 2/2] ACRN: DM: Add endpoint index check in xhci register write


Long Liu
 

Because the endpoint index max value is 32, add the index value
check in xhci register write function.

Signed-off-by: Liu Long <long.liu@...>
---
devicemodel/hw/pci/xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devicemodel/hw/pci/xhci.c b/devicemodel/hw/pci/xhci.c
index b5c1365ce..83fbccc35 100644
--- a/devicemodel/hw/pci/xhci.c
+++ b/devicemodel/hw/pci/xhci.c
@@ -3415,7 +3415,7 @@ pci_xhci_dbregs_write(struct pci_xhci_vdev *xdev,
UPRINTF(LDBG, "doorbell write offset 0x%lx: 0x%lx\r\n",
offset, value);

- if (XHCI_HALTED(xdev)) {
+ if (XHCI_HALTED(xdev) || XHCI_DB_TARGET_GET(value) > XHCI_MAX_ENDPOINTS) {
UPRINTF(LWRN, "pci_xhci: controller halted\r\n");
return;
}
--
2.25.1


Yu Wang
 

On Tue, Jun 14, 2022 at 09:23:56AM +0800, Liu Long wrote:
Because the endpoint index max value is 32, add the index value
check in xhci register write function.

Signed-off-by: Liu Long <long.liu@...>
---
devicemodel/hw/pci/xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devicemodel/hw/pci/xhci.c b/devicemodel/hw/pci/xhci.c
index b5c1365ce..83fbccc35 100644
--- a/devicemodel/hw/pci/xhci.c
+++ b/devicemodel/hw/pci/xhci.c
@@ -3415,7 +3415,7 @@ pci_xhci_dbregs_write(struct pci_xhci_vdev *xdev,
UPRINTF(LDBG, "doorbell write offset 0x%lx: 0x%lx\r\n",
offset, value);

- if (XHCI_HALTED(xdev)) {
+ if (XHCI_HALTED(xdev) || XHCI_DB_TARGET_GET(value) > XHCI_MAX_ENDPOINTS) {
UPRINTF(LWRN, "pci_xhci: controller halted\r\n");
Is there any capability register to indicate the max supported endpoint
number? I haven't find it.

And why FE driver ring the nonexisting ep?

Another thing, this is not controller halted case, please do not re-use
the same log.

return;
}
--
2.25.1


Yonghua Huang
 

Hi Yu,

-----Original Message-----
From: Wang, Yu1 <yu1.wang@...>
Sent: Tuesday, June 14, 2022 09:15
To: Liu Long <long.liu@...>
Cc: Huang, Yonghua <yonghua.huang@...>; acrn-
dev@...
Subject: Re: [PATCH 2/2] ACRN: DM: Add endpoint index check in xhci register
write

On Tue, Jun 14, 2022 at 09:23:56AM +0800, Liu Long wrote:
Because the endpoint index max value is 32, add the index value check
in xhci register write function.

Signed-off-by: Liu Long <long.liu@...>
---
devicemodel/hw/pci/xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devicemodel/hw/pci/xhci.c b/devicemodel/hw/pci/xhci.c
index b5c1365ce..83fbccc35 100644
--- a/devicemodel/hw/pci/xhci.c
+++ b/devicemodel/hw/pci/xhci.c
@@ -3415,7 +3415,7 @@ pci_xhci_dbregs_write(struct pci_xhci_vdev *xdev,
UPRINTF(LDBG, "doorbell write offset 0x%lx: 0x%lx\r\n",
offset, value);

- if (XHCI_HALTED(xdev)) {
+ if (XHCI_HALTED(xdev) || XHCI_DB_TARGET_GET(value) >
+XHCI_MAX_ENDPOINTS) {
UPRINTF(LWRN, "pci_xhci: controller halted\r\n");
Is there any capability register to indicate the max supported endpoint number? I
haven't find it.

And why FE driver ring the nonexisting ep?
This write request is from fuzzing guest, where any value that is compatible with hardware/software interface will be injected, ACRN backend driver should validate any inputs from guest, which is not trusted.


Another thing, this is not controller halted case, please do not re-use the same
log.

return;
}
--
2.25.1