From d9f554b62440de542c482fecf9374e8da3ea3602 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pali=20Roh=C3=A1r?= Date: Sun, 3 Jul 2022 12:48:06 +0200 Subject: pci: Add checks to prevent config space overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PCIe config space has address range 0-4095. So do not allow reading from addresses outside of this range. Lot of U-Boot drivers do not expect that passed value is not in this range. PCI DM read function is extended to fill read value to all ones or zeros when it fails as U-Boot callers ignores return value. Calling U-Boot command 'pci display.b 0.0.0 0 0x2000' now stops printing config space at the end (before 0x1000 address). Signed-off-by: Pali Rohár Reviewed-by: Stefan Roese --- drivers/pci/pci-uclass.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'drivers/pci/pci-uclass.c') diff --git a/drivers/pci/pci-uclass.c b/drivers/pci/pci-uclass.c index 2c85e78a136..16a6a699f92 100644 --- a/drivers/pci/pci-uclass.c +++ b/drivers/pci/pci-uclass.c @@ -286,6 +286,8 @@ int pci_bus_write_config(struct udevice *bus, pci_dev_t bdf, int offset, ops = pci_get_ops(bus); if (!ops->write_config) return -ENOSYS; + if (offset < 0 || offset >= 4096) + return -EINVAL; return ops->write_config(bus, bdf, offset, value, size); } @@ -364,8 +366,14 @@ int pci_bus_read_config(const struct udevice *bus, pci_dev_t bdf, int offset, struct dm_pci_ops *ops; ops = pci_get_ops(bus); - if (!ops->read_config) + if (!ops->read_config) { + *valuep = pci_conv_32_to_size(~0, offset, size); return -ENOSYS; + } + if (offset < 0 || offset >= 4096) { + *valuep = pci_conv_32_to_size(0, offset, size); + return -EINVAL; + } return ops->read_config(bus, bdf, offset, valuep, size); } -- cgit v1.2.3