s390x/ipl: Add type and length checks for IplParameterBlock values

We can check for valid type and lengths of the IplParameterBlock fields
when receiving the struct from the guest.

Length of the IplParameterBlock can be less than 4K. To play safe we can
read and write only required amount of data.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenband <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

1 files changed, 15 insertions, 2 deletions

diff --git a/target-s390x/misc_helper.c b/target-s390x/misc_helper.c
index fab7f87a8f..462cfc85fc 100644
--- a/target-s390x/misc_helper.c
+++ b/target-s390x/misc_helper.c
@@ -233,9 +233,22 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3)
             return;
         }
         iplb = g_malloc0(sizeof(IplParameterBlock));
-        cpu_physical_memory_read(addr, iplb, S390_IPLB_MIN_CCW_LEN);
+        cpu_physical_memory_read(addr, iplb, sizeof(iplb->len));
+        if (!iplb_valid_len(iplb)) {
+            env->regs[r1 + 1] = DIAG_308_RC_INVALID;
+            goto out;
+        }
+
+        cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
+
+        if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) {
+            env->regs[r1 + 1] = DIAG_308_RC_INVALID;
+            goto out;
+        }
+
         s390_ipl_update_diag308(iplb);
         env->regs[r1 + 1] = DIAG_308_RC_OK;
+out:
         g_free(iplb);
         return;
     case 6:
@@ -250,7 +263,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3)
         }
         iplb = s390_ipl_get_iplb();
         if (iplb) {
-            cpu_physical_memory_write(addr, iplb, S390_IPLB_MIN_CCW_LEN);
+            cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len));
             env->regs[r1 + 1] = DIAG_308_RC_OK;
         } else {
             env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;