File qatlib-CVE-2023-22313.patch of Package qatlib.32291
Index: qatlib-21.08.0/quickassist/lookaside/access_layer/src/qat_direct/vfio/qat_mgr.h
===================================================================
--- qatlib-21.08.0.orig/quickassist/lookaside/access_layer/src/qat_direct/vfio/qat_mgr.h
+++ qatlib-21.08.0/quickassist/lookaside/access_layer/src/qat_direct/vfio/qat_mgr.h
@@ -75,6 +75,11 @@
#define MAX_INSTANCES 16
#define MAX_SERVICES 4
#define BIT(n) (1 << n)
+#ifndef MAX
+#define MAX(X, Y) (((X) > (Y)) ? (X) : (Y))
+#endif
+#define MAX_PAYLOAD_SIZE \
+ MAX(sizeof(struct qatmgr_msg_req), sizeof(struct qatmgr_msg_rsp))
enum serv_type
{
Index: qatlib-21.08.0/quickassist/lookaside/access_layer/src/qat_direct/vfio/qat_mgr_lib.c
===================================================================
--- qatlib-21.08.0.orig/quickassist/lookaside/access_layer/src/qat_direct/vfio/qat_mgr_lib.c
+++ qatlib-21.08.0/quickassist/lookaside/access_layer/src/qat_direct/vfio/qat_mgr_lib.c
@@ -71,6 +71,22 @@ static struct qatmgr_section_data *secti
static int num_section_data = 0;
+static const char *qatmgr_msgtype_str[] = {
+ "QATMGR_MSGTYPE_UNKNOWN", /* string for unknown msg*/
+ "QATMGR_MSGTYPE_SECTION_GET", /* string for get section msg*/
+ "QATMGR_MSGTYPE_SECTION_PUT", /* string for put section msg*/
+ "QATMGR_MSGTYPE_NUM_DEVICES", /* string for num devices msg*/
+ "QATMGR_MSGTYPE_DEVICE_INFO", /* string for device info msg*/
+ "QATMGR_MSGTYPE_DEVICE_ID", /* string for device id msg*/
+ "QATMGR_MSGTYPE_SECTION_INFO", /* string for section info msg*/
+ "QATMGR_MSGTYPE_INSTANCE_INFO", /* string for instance info msg*/
+ "QATMGR_MSGTYPE_INSTANCE_NAME", /* string for instance name msg*/
+ "QATMGR_MSGTYPE_VFIO_FILE", /* string for vfio file path msg*/
+};
+
+#define QATMGR_MSGTYPES_STR_MAX \
+ (sizeof(qatmgr_msgtype_str) / sizeof(qatmgr_msgtype_str[0]) - 1)
+
/* Cache of PF capabilities */
struct pf_capabilities
{
@@ -1031,7 +1047,7 @@ bool qat_mgr_is_dev_available()
return dev_found;
}
-void dump_message(void *ptr, char *text)
+static void dump_message(void *ptr, char *text)
{
struct qatmgr_msg_req *req = ptr;
int payload_size;
@@ -1046,10 +1062,13 @@ void dump_message(void *ptr, char *text)
printf("%s\n", text);
printf("Message type %d\n", req->hdr.type);
+ if (req->hdr.type > 0 && req->hdr.type <= QATMGR_MSGTYPES_STR_MAX)
+ printf("Message name %s\n", qatmgr_msgtype_str[req->hdr.type]);
printf(" length %d\n", req->hdr.len);
payload_size = req->hdr.len - sizeof(req->hdr);
payload = (uint8_t *)req + sizeof(req->hdr);
- if (payload_size > 0)
+
+ if (payload_size > 0 && payload_size <= MAX_PAYLOAD_SIZE)
{
printf(" Payload: ");
for (i = 0; i < payload_size; i++, payload++)
@@ -1060,6 +1079,14 @@ void dump_message(void *ptr, char *text)
}
printf("\n");
}
+ if (payload_size > MAX_PAYLOAD_SIZE)
+ {
+ qat_log(
+ LOG_LEVEL_ERROR,
+ "Message payload size (%d) out of range. Max payload size is %d\n",
+ payload_size,
+ MAX_PAYLOAD_SIZE);
+ }
}
#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
@@ -1100,6 +1127,8 @@ static int handle_get_num_devices(struct
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1111,7 +1140,7 @@ static int handle_get_num_devices(struct
rsp->num_devices = section->num_devices;
build_msg_header(rsp, QATMGR_MSGTYPE_NUM_DEVICES, sizeof(rsp->num_devices));
- dump_message(rsp, "QATMGR_MSGTYPE_NUM_DEVICES");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1132,6 +1161,8 @@ static int handle_get_device_info(struct
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1170,7 +1201,7 @@ static int handle_get_device_info(struct
rsp->device_info.device_pci_id = section->device_data[device_num].pci_id;
build_msg_header(rsp, QATMGR_MSGTYPE_DEVICE_INFO, sizeof(rsp->device_info));
- dump_message(rsp, "QATMGR_MSGTYPE_DEVICE_INFO");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1192,6 +1223,8 @@ static int handle_get_device_id(struct q
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1216,7 +1249,7 @@ static int handle_get_device_id(struct q
build_msg_header(rsp,
QATMGR_MSGTYPE_DEVICE_ID,
ICP_ARRAY_STRLEN_SANITIZE(rsp->device_id) + 1);
- dump_message(rsp, "QATMGR_MSGTYPE_DEVICE_ID");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1239,6 +1272,8 @@ static int handle_get_vfio_name(struct q
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1270,7 +1305,7 @@ static int handle_get_vfio_name(struct q
build_msg_header(
rsp, QATMGR_MSGTYPE_VFIO_FILE, sizeof(rsp->vfio_file.fd) + len + 1);
- dump_message(rsp, "QATMGR_MSGTYPE_VFIO_FILE");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1290,6 +1325,8 @@ static int handle_get_section_info(struc
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1303,7 +1340,7 @@ static int handle_get_section_info(struc
build_msg_header(
rsp, QATMGR_MSGTYPE_SECTION_INFO, sizeof(rsp->section_info));
- dump_message(rsp, "QATMGR_MSGTYPE_SECTION_INFO");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1325,6 +1362,8 @@ static int handle_get_instance_name(stru
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1411,7 +1450,7 @@ static int handle_get_instance_name(stru
err_msg(rsp, "Unknown instance type");
return -1;
}
- dump_message(rsp, "QATMGR_MSGTYPE_INSTANCE_NAME");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1436,6 +1475,8 @@ static int handle_get_instance_info(stru
return -1;
}
+ dump_message(req, "Request");
+
if (index < 0 || index >= num_section_data)
{
qat_log(LOG_LEVEL_ERROR, "Bad index\n");
@@ -1576,7 +1617,7 @@ static int handle_get_instance_info(stru
return -1;
}
- dump_message(rsp, "QATMGR_MSGTYPE_INSTANCE_INFO");
+ dump_message(rsp, "Response");
return 0;
}
@@ -1658,6 +1699,9 @@ static int handle_section_request(struct
err_msg(rsp, "Inconsistent length");
return -1;
}
+
+ dump_message(req, "Request");
+
if (pid != getpid())
{
pid = getpid();
@@ -1702,7 +1746,7 @@ static int handle_section_request(struct
*section_name);
ICP_STRLCPY(*section_name, rsp->name, name_buf_size);
-
+ dump_message(rsp, "Response");
return 0;
}
@@ -1725,6 +1769,8 @@ static int handle_section_release(struct
return -1;
}
+ dump_message(req, "Request");
+
if (*section_name == NULL)
{
qat_log(LOG_LEVEL_ERROR, "Section not allocated\n");
@@ -1747,6 +1793,7 @@ static int handle_section_release(struct
*index = -1;
}
}
+ dump_message(rsp, "Response");
return 0;
}
@@ -1761,8 +1808,6 @@ int handle_message(struct qatmgr_msg_req
ICP_CHECK_FOR_NULL_PARAM(index);
ICP_CHECK_FOR_NULL_PARAM(section_name);
- dump_message(req, "Request");
-
if (req->hdr.version != THIS_LIB_VERSION)
{
char qatlib_ver_str[VER_STR_LEN];
