From 04ca4b92ecb33703b03b8501bfb3d8b0c551e2e5 Mon Sep 17 00:00:00 2001
From: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Date: Mon, 13 Jul 2015 15:04:36 +0300
Subject: s390x/ipl: Extend the IplParameterBlock struct

The IplParameterBlock struct currently has only 200 bytes filled, but it
can be up to 4K.

This patch converts the struct to union with a fully populated struct
inside it and second struct with old values.

For compatibility reasons we disable migration of the extended iplb
field for pre-2.7 machines. Also a guest still can read/write only the
first 200 bytes of IPLB for now.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 target-s390x/misc_helper.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'target-s390x/misc_helper.c')

diff --git a/target-s390x/misc_helper.c b/target-s390x/misc_helper.c
index 71cbe34e05..fab7f87a8f 100644
--- a/target-s390x/misc_helper.c
+++ b/target-s390x/misc_helper.c
@@ -232,8 +232,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3)
             program_interrupt(env, PGM_ADDRESSING, ILEN_LATER_INC);
             return;
         }
-        iplb = g_malloc0(sizeof(struct IplParameterBlock));
-        cpu_physical_memory_read(addr, iplb, sizeof(struct IplParameterBlock));
+        iplb = g_malloc0(sizeof(IplParameterBlock));
+        cpu_physical_memory_read(addr, iplb, S390_IPLB_MIN_CCW_LEN);
         s390_ipl_update_diag308(iplb);
         env->regs[r1 + 1] = DIAG_308_RC_OK;
         g_free(iplb);
@@ -250,8 +250,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3)
         }
         iplb = s390_ipl_get_iplb();
         if (iplb) {
-            cpu_physical_memory_write(addr, iplb,
-                                      sizeof(struct IplParameterBlock));
+            cpu_physical_memory_write(addr, iplb, S390_IPLB_MIN_CCW_LEN);
             env->regs[r1 + 1] = DIAG_308_RC_OK;
         } else {
             env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;
-- 
cgit 1.4.1


From 9946a9113cf5d84c9381342100343aa97f736ee0 Mon Sep 17 00:00:00 2001
From: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Date: Mon, 10 Aug 2015 13:57:03 +0300
Subject: s390x/ipl: Add type and length checks for IplParameterBlock values

We can check for valid type and lengths of the IplParameterBlock fields
when receiving the struct from the guest.

Length of the IplParameterBlock can be less than 4K. To play safe we can
read and write only required amount of data.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenband <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/ipl.h             | 21 +++++++++++++++++++++
 target-s390x/misc_helper.c | 17 +++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

(limited to 'target-s390x/misc_helper.c')

diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
index 73b86e3f81..08f1d5c385 100644
--- a/hw/s390x/ipl.h
+++ b/hw/s390x/ipl.h
@@ -99,6 +99,27 @@ struct S390IPLState {
 };
 typedef struct S390IPLState S390IPLState;
 
+#define S390_IPL_TYPE_FCP 0x00
+#define S390_IPL_TYPE_CCW 0x02
+
 #define S390_IPLB_MIN_CCW_LEN 200
+#define S390_IPLB_MIN_FCP_LEN 384
+
+static inline bool iplb_valid_len(IplParameterBlock *iplb)
+{
+    return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock);
+}
+
+static inline bool iplb_valid_ccw(IplParameterBlock *iplb)
+{
+    return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN &&
+           iplb->pbt == S390_IPL_TYPE_CCW;
+}
+
+static inline bool iplb_valid_fcp(IplParameterBlock *iplb)
+{
+    return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN &&
+           iplb->pbt == S390_IPL_TYPE_FCP;
+}
 
 #endif
diff --git a/target-s390x/misc_helper.c b/target-s390x/misc_helper.c
index fab7f87a8f..462cfc85fc 100644
--- a/target-s390x/misc_helper.c
+++ b/target-s390x/misc_helper.c
@@ -233,9 +233,22 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3)
             return;
         }
         iplb = g_malloc0(sizeof(IplParameterBlock));
-        cpu_physical_memory_read(addr, iplb, S390_IPLB_MIN_CCW_LEN);
+        cpu_physical_memory_read(addr, iplb, sizeof(iplb->len));
+        if (!iplb_valid_len(iplb)) {
+            env->regs[r1 + 1] = DIAG_308_RC_INVALID;
+            goto out;
+        }
+
+        cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
+
+        if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) {
+            env->regs[r1 + 1] = DIAG_308_RC_INVALID;
+            goto out;
+        }
+
         s390_ipl_update_diag308(iplb);
         env->regs[r1 + 1] = DIAG_308_RC_OK;
+out:
         g_free(iplb);
         return;
     case 6:
@@ -250,7 +263,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3)
         }
         iplb = s390_ipl_get_iplb();
         if (iplb) {
-            cpu_physical_memory_write(addr, iplb, S390_IPLB_MIN_CCW_LEN);
+            cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len));
             env->regs[r1 + 1] = DIAG_308_RC_OK;
         } else {
             env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;
-- 
cgit 1.4.1