Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND

From:	Richard Henderson
Subject:	Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer
Date:	Mon, 8 Apr 2024 06:39:44 -1000
User-agent:	Mozilla Thunderbird

On 4/7/24 22:36, Philippe Mathieu-Daudé wrote:

nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.

In order to fix:

- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if blk_load() failed.

Do not set, or do not set to non-zero? I had been wondering if the final assignment tos->iolen should go into nand_load_block as well...

diff --git a/hw/block/nand.c b/hw/block/nand.c
index 3627c799b5..d90dc965a1 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -255,7 +255,9 @@ static int nand_load_block(NANDFlashState *s, int offset)
  {
      int iolen;

- s->blk_load(s, s->addr, offset);

+    if (!s->blk_load(s, s->addr, offset)) {
+        return 0;
+    }

iolen = (1 << s->page_shift) - offset;

      if (s->gnd) {
@@ -780,6 +782,10 @@ static bool glue(nand_blk_load_, 
NAND_PAGE_SIZE)(NANDFlashState *s,
          return false;
      }

+ if (offset > NAND_PAGE_SIZE + OOB_SIZE) {

+        return false;
+    }
+


Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


r~

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH-for-9.0? 0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Philippe Mathieu-Daudé, 2024/04/08
- [PATCH-for-9.0? 1/3] hw/block/nand: Factor nand_load_iolen() method out, Philippe Mathieu-Daudé, 2024/04/08
  - Re: [PATCH-for-9.0? 1/3] hw/block/nand: Factor nand_load_iolen() method out, Richard Henderson, 2024/04/08
  - Re: [PATCH-for-9.0? 1/3] hw/block/nand: Factor nand_load_iolen() method out, Kevin Wolf, 2024/04/09
- [PATCH-for-9.0? 2/3] hw/block/nand: Have blk_load() return boolean indicating success, Philippe Mathieu-Daudé, 2024/04/08
  - Re: [PATCH-for-9.0? 2/3] hw/block/nand: Have blk_load() return boolean indicating success, Richard Henderson, 2024/04/08
- [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Philippe Mathieu-Daudé, 2024/04/08
  - Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Philippe Mathieu-Daudé, 2024/04/08
  - Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Richard Henderson <=
    - Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Philippe Mathieu-Daudé, 2024/04/08
- Re: [PATCH-for-9.0? 0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Mauro Matteo Cascella, 2024/04/08
  - Re: [PATCH-for-9.0? 0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Philippe Mathieu-Daudé, 2024/04/09
- Re: [PATCH-for-9.0? 0/3] hw/block/nand: Fix out-of-bound access in NAND block buffer, Kevin Wolf, 2024/04/09

Prev by Date: Re: [PATCH-for-9.0? 2/3] hw/block/nand: Have blk_load() return boolean indicating success
Next by Date: Re: [PATCH-for-9.0] hw/sd/sdhci: Discard excess of data written to Buffer Data Port register
Previous by thread: Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer
Next by thread: Re: [PATCH-for-9.0? 3/3] hw/block/nand: Fix out-of-bound access in NAND block buffer
Index(es):
- Date
- Thread