]> rtime.felk.cvut.cz Git - jailhouse.git/commitdiff
projects / jailhouse.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: f25792d)
driver: Improve input validation to make code scanners happier
authorJan Kiszka <jan.kiszka@siemens.com>
Tue, 10 Mar 2015 06:27:43 +0000 (07:27 +0100)
committerJan Kiszka <jan.kiszka@siemens.com>
Fri, 20 Mar 2015 06:10:39 +0000 (07:10 +0100)
We trust the configuration files passed down to the driver already
because they define the isolation set up by the hypervisor and can
therefore screw up the system in various ways.

Nevertheless, we can and should improve basic consistency checks of
config fields that influences allocations and copy operations. This will
detect some corruptions/inconsistencies earlier and also satisfies the
Coverity scanner.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
driver/cell.c patch | blob | history
driver/main.c patch | blob | history
driver/pci.c patch | blob | history

diff --git a/driver/cell.c b/driver/cell.c
index c1721d1716ada4dfa0223e2a01450163b2fe5d51..07eb602346c0036562616ee1396ef4da6a8dab10 100644 (file)
--- a/driver/cell.c
+++ b/driver/cell.c
@@ -39,6 +39,10 @@ struct cell *jailhouse_cell_create(const struct jailhouse_cell_desc *cell_desc)
        struct cell *cell;
        int err;
 
+       if (cell_desc->num_memory_regions >=
+           ULONG_MAX / sizeof(struct jailhouse_memory))
+               return ERR_PTR(-EINVAL);
+
        cell = kzalloc(sizeof(*cell), GFP_KERNEL);
        if (!cell)
                return ERR_PTR(-ENOMEM);
diff --git a/driver/main.c b/driver/main.c
index 4721db7af15ee5efa8879c2883ab3aff5880f226..f3a08f31524369c49f3703fc808dc8b5f697924f 100644 (file)
--- a/driver/main.c
+++ b/driver/main.c
@@ -217,13 +217,15 @@ static int jailhouse_cmd_enable(struct jailhouse_system __user *arg)
 
        err = -EINVAL;
        if (memcmp(header->signature, JAILHOUSE_SIGNATURE,
-                  sizeof(header->signature)) != 0)
+                  sizeof(header->signature)) != 0 ||
+           hypervisor->size >= hv_mem->size)
                goto error_release_fw;
 
        hv_core_and_percpu_size = PAGE_ALIGN(header->core_size) +
                max_cpus * header->percpu_size;
        config_size = jailhouse_system_config_size(&config_header);
-       if (hv_mem->size <= hv_core_and_percpu_size + config_size)
+       if (hv_core_and_percpu_size >= hv_mem->size ||
+           config_size >= hv_mem->size - hv_core_and_percpu_size)
                goto error_release_fw;
 
        hypervisor_mem = jailhouse_ioremap(hv_mem->phys_start, JAILHOUSE_BASE,
diff --git a/driver/pci.c b/driver/pci.c
index 24ac2c0996a31297763bcf01badd317e54fca1f7..8d9e52781c6dee2cb2e120b6ac338e09402e7476 100644 (file)
--- a/driver/pci.c
+++ b/driver/pci.c
@@ -66,6 +66,10 @@ int jailhouse_pci_cell_setup(struct cell *cell,
                /* cell is zero-initialized, no need to set pci fields */
                return 0;
 
+       if (cell_desc->num_pci_devices >=
+           ULONG_MAX / sizeof(struct jailhouse_pci_device))
+               return -EINVAL;
+
        cell->num_pci_devices = cell_desc->num_pci_devices;
        cell->pci_devices = vmalloc(sizeof(struct jailhouse_pci_device) *
                                    cell->num_pci_devices);