52f4cb29 | 25-Nov-2020 |
Andrew Jeffery <andrew@aj.id.au> |
README: Prominently address API/ABI stability
Make a header out of it to help catch people's eyes. Also add a contact section beforehand so people know where to send feedback.
Signed-off-by: Andrew
README: Prominently address API/ABI stability
Make a header out of it to help catch people's eyes. Also add a contact section beforehand so people know where to send feedback.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I9d8ec99fbdb0314075d175c0844eb232b6d7719d
show more ...
|
c2b833e4 | 27-Oct-2020 |
Andrew Jeffery <andrew@aj.id.au> |
core: Fix large packet buffer overrun
The astlpc binding allows negotiation of Tx/Rx region sizes, but the packet accumulator assumed packet sizes were at most 4096 bytes. Avoid buffer overflow by
core: Fix large packet buffer overrun
The astlpc binding allows negotiation of Tx/Rx region sizes, but the packet accumulator assumed packet sizes were at most 4096 bytes. Avoid buffer overflow by allocating at least the length of the inbound packet if we have not yet initialised the packet buffer.
Fixes:
================================================================= ==42296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x7ff8a22235ce bp 0x7ffd47469750 sp 0x7ffd47468ef8 WRITE of size 8192 at 0x621000002500 thread T0 #0 0x7ff8a22235cd in __interceptor_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.6+0x3a5cd) #1 0x7ff8a21ac78b in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x7ff8a21ac78b in mctp_msg_ctx_add_pkt /home/andrew/src/openbmc/libmctp/core.c:237 #3 0x7ff8a21af245 in mctp_bus_rx /home/andrew/src/openbmc/libmctp/core.c:495 #4 0x56458d3f9648 in mctp_astlpc_rx_start astlpc.c:813 #5 0x56458d3f9648 in mctp_astlpc_poll astlpc.c:931 #6 0x56458d3fc1f4 in astlpc_test_send_large_packet tests/test_astlpc.c:1111 #7 0x56458d3efc86 in main tests/test_astlpc.c:1185 #8 0x7ff8a165dcb1 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28cb1) #9 0x56458d3efe7d in _start (/home/andrew/src/openbmc/libmctp/tests/.libs/test_astlpc+0x17e7d)
0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500) allocated by thread T0 here: #0 0x7ff8a22998d0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb08d0) #1 0x7ff8a21b0533 in __mctp_realloc /home/andrew/src/openbmc/libmctp/alloc.c:48
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.6+0x3a5cd) in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==42296==ABORTING
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I9d39090cb9246ec2f6c06942d4f2a91fe0df0202
show more ...
|
5a508915 | 03-Nov-2020 |
Andrew Jeffery <andrew@aj.id.au> |
core: Fix comment on size limits
We introduced size limits in 2c820c5ad455 ("core: Limit maximum size of an assembled MCTP message").
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I955
core: Fix comment on size limits
We introduced size limits in 2c820c5ad455 ("core: Limit maximum size of an assembled MCTP message").
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I9553027ddba65c344d29b4f7fd7817d6ff93f454
show more ...
|
4622cadf | 03-Nov-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Extract MIN()/MAX() to range.h
Enable reuse beyond astlpc.c.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I090358882b2c4b9cb1a9393a9ae38dfbe80335e9 |
85c04e47 | 27-Oct-2020 |
Andrew Jeffery <andrew@aj.id.au> |
tests: astlpc: Re-order astlpc ops struct definitions
Make it easier to isolate test cases with `#if 0` hackery.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ibc3daef821768407b01f7599
tests: astlpc: Re-order astlpc ops struct definitions
Make it easier to isolate test cases with `#if 0` hackery.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ibc3daef821768407b01f75996d3ab614bb6b6593
show more ...
|
b3b55a6b | 05-Jul-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Clear OBF during binding initialisation
Whatever the buffer ownership state was previously, it is now irrelevant as we're initialising the binding. Ensure that we don't accidentally block in
astlpc: Clear OBF during binding initialisation
Whatever the buffer ownership state was previously, it is now irrelevant as we're initialising the binding. Ensure that we don't accidentally block initialisation due to the host failing to consume the previous KCS command (which implies OBF is set and therefore we would block on sending the dummy command).
The relevant callsites for mctp_astlpc_kcs_set_status() were aleady setting KCS_STATUS_OBF in the status value passed to the function, therefore it's not necessary for the function to set it explicitly. Removing the explicit KCS_STATUS_OBF from mctp_astlpc_kcs_set_status() to make way for correct use in mctp_astlpc_init_bmc().
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I54266ee4459115e993af2ad6665252887c27ab3e
show more ...
|
96d54492 | 14-Jul-2020 |
Sumanth Bhat <sumanth.bhat@linux.intel.com> |
core: handle memory allocation failures in mctp init
This just handles __mctp_alloc failures in libmctp.
Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com> Change-Id: I0b5beaf2b981a56133bd6
core: handle memory allocation failures in mctp init
This just handles __mctp_alloc failures in libmctp.
Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com> Change-Id: I0b5beaf2b981a56133bd6caaf269e75e28cefba7
show more ...
|
2c820c5a | 01-Jul-2020 |
Sumanth Bhat <sumanth.bhat@linux.intel.com> |
core: Limit maximum size of an assembled MCTP message
If libmctp receives sequence of fragment MCTP packets and never receives EOM packet, this will cause heap memory to grow without bounds. This co
core: Limit maximum size of an assembled MCTP message
If libmctp receives sequence of fragment MCTP packets and never receives EOM packet, this will cause heap memory to grow without bounds. This commit puts an upper cap on maximum MCTP message size. This should protect us from any malicious device trying to exploiting this.
Also, this prevents overwhelming of the device's resources. Section 10.1.5 of DSP0236 (v1.3.1) allows configuration of endpoints to protect its resources.
Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com> Change-Id: Id62cfab7c25b3e1ccf955f2e924844b58b4be154
show more ...
|
d97869de | 01-Jul-2020 |
Sumanth Bhat <sumanth.bhat@linux.intel.com> |
core: Drop trivial length packets
If we receive packets which are of length less than mctp header size, we can drop them without passing through message assembly process.
Signed-off-by: Sumanth Bha
core: Drop trivial length packets
If we receive packets which are of length less than mctp header size, we can drop them without passing through message assembly process.
Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com> Change-Id: Idfe67530f7b2fb9c3ecb214a38f489a852b80c70
show more ...
|
3ac70d62 | 30-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
core: Fix off-by-one assertion in mctp_pktbuf_alloc_end
pkt->end refers to the address after the last byte allocated to the packet body, so we need a less-than-or-equal-to inequality.
Signed-off-by
core: Fix off-by-one assertion in mctp_pktbuf_alloc_end
pkt->end refers to the address after the last byte allocated to the packet body, so we need a less-than-or-equal-to inequality.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ie91f4fe015858b5d2f308289e806d85d8320f239
show more ...
|
b942e3a3 | 22-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
core: Return size_t for mctp_pktbuf_size()
Large packets are enabled by e.g. MTU negotiation in the astlpc binding. Avoid truncating large packets in calls to the pktbuf APIs.
Signed-off-by: Andrew
core: Return size_t for mctp_pktbuf_size()
Large packets are enabled by e.g. MTU negotiation in the astlpc binding. Avoid truncating large packets in calls to the pktbuf APIs.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I1244d70fe93ca7538ca09256110d648c495c6aa7
show more ...
|
8737538e | 19-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
clang-format: Enable AlignConsecutiveMacros
clang-format-10 has been adopted in CI, so enable some of the more useful recent features.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I92
clang-format: Enable AlignConsecutiveMacros
clang-format-10 has been adopted in CI, so enable some of the more useful recent features.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I9293bacb049b97c0a9abdf7188ea2eea66e43092
show more ...
|
d98b2b23 | 14-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
mctp-astlpc-demux: Explicitly construct a fileio astlpc instance
mctp-astlpc-demux is run on BMCs in userspace, so fileio is what we require.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-
mctp-astlpc-demux: Explicitly construct a fileio astlpc instance
mctp-astlpc-demux is run on BMCs in userspace, so fileio is what we require.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Iecd8df8901c14ea5924cdc1671b880b5f4824c6c
show more ...
|
8877c460 | 14-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Request maximum MTU in fileio constructor
The MTU value 0 is special-cased to request the maximum possible MTU, whatever that may be. Exploit this fact in the fileio constructor.
Signed-off
astlpc: Request maximum MTU in fileio constructor
The MTU value 0 is special-cased to request the maximum possible MTU, whatever that may be. Exploit this fact in the fileio constructor.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ib9ad48deb1644579d962b5939a3f3f444091f3ce
show more ...
|
8536cfcf | 12-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
libmctp: v0.10
Introduce v2 of the astlpc binding protocol.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Idaba0167f605d51fba30cebdce432ca9c38463d7 |
c9fb86d2 | 12-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
docs: astlpc: Document the behaviours of protocol version 2
The sole feature of version 2 is maximum transmission unit negotiation. The process is designed in a backwards-compatible fashion with ver
docs: astlpc: Document the behaviours of protocol version 2
The sole feature of version 2 is maximum transmission unit negotiation. The process is designed in a backwards-compatible fashion with version 1. The negotiated version must be at least 2 in order to exploit MTUs larger than the baseline transmission unit.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ife23e0551f975894fbb0544b4b1d3cf0b4190b4f
show more ...
|
f3ff01f2 | 11-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
docs: astlpc: Factor out KCS command and status sequences
Dedicate words to the mechanics of setting status and sending commands via the KCS interface. Factor out these behaviours from the binding i
docs: astlpc: Factor out KCS command and status sequences
Dedicate words to the mechanics of setting status and sending commands via the KCS interface. Factor out these behaviours from the binding initialisation and packet transmission sequences to keep them succinct.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I1316045d6bb6f3a980a83ed2b046d7e68cabbf01
show more ...
|
fbe1a22a | 11-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
docs: astlpc: Describe some implementation details
However, isolate the details to their own section near the end of the document so as not to disrupt specification of the binding behaviour.
Signed
docs: astlpc: Describe some implementation details
However, isolate the details to their own section near the end of the document so as not to disrupt specification of the binding behaviour.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I7d4ab48b5659caa185a3f665857daee50dfb5a61
show more ...
|
9624edb4 | 28-May-2020 |
Andrew Jeffery <andrew@aj.id.au> |
docs: astlpc: Introduce scope, terms and reference sections
Link to supporting documentation and provide definitions for the various terms used through the document.
Signed-off-by: Andrew Jeffery <
docs: astlpc: Introduce scope, terms and reference sections
Link to supporting documentation and provide definitions for the various terms used through the document.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Id27dcda9720ca4717e395a83bcf1091f2e8416d2
show more ...
|
e62b4257 | 28-May-2020 |
Andrew Jeffery <andrew@aj.id.au> |
docs: Describe operation of the astlpc binding
This is a mostly-faithful reproduction of the internal document that has so-far driven development of the binding inside IBM. It covers the behaviour o
docs: Describe operation of the astlpc binding
This is a mostly-faithful reproduction of the internal document that has so-far driven development of the binding inside IBM. It covers the behaviour of the protocol along with constraints motivating its development. The binding was developed for use on POWER host architecture systems, which are LPC-based.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: I6708ed5776419ab03b2f569cb243b5e3df21885b
show more ...
|
5303d9c5 | 08-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Bump protocol support to v2
The new functionality in v2 is the one feature to negotiate transmission units larger than the MCTP baseline transmission unit.
Signed-off-by: Andrew Jeffery <an
astlpc: Bump protocol support to v2
The new functionality in v2 is the one feature to negotiate transmission units larger than the MCTP baseline transmission unit.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ia7d9b1177b0e0a3af911f2d960456682327abe4d
show more ...
|
a9368980 | 08-Jun-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Make MTU configurable at binding instantiation
Make the MTU value provided to mctp_astlpc_init() stick. Previously we just printed a warning and forced the MTU to the baseline transmission u
astlpc: Make MTU configurable at binding instantiation
Make the MTU value provided to mctp_astlpc_init() stick. Previously we just printed a warning and forced the MTU to the baseline transmission unit. Now that MTU negotiation is in place, accept the provided value.
Change-Id: I0c026ba0a94a26a6d99755d3debf048b6e0b4aca Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
show more ...
|
3a540664 | 26-May-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Introduce MTU negotiation
MTU negotiation is implemented in a backwards-compatible manner with version 1 of the astlpc binding. Functionally, MTU negotation involves proposing arrangements o
astlpc: Introduce MTU negotiation
MTU negotiation is implemented in a backwards-compatible manner with version 1 of the astlpc binding. Functionally, MTU negotation involves proposing arrangements of the Rx and Tx buffer layouts. It is assumed that the MTU is a packet sized to fill the Tx buffer as described in the control space.
For v1 of the binding the MTU is defined in terms of the MCTP_BTU constant provided by libmctp.h. MCTP_BTU is used regardless of the buffer sizes specified in the control space (which MUST describe buffers supporting at least MCTP_BTU-sized packets).
For v2 of the binding the MTU is defined in terms of the appropriate buffer's size field in the control space.
The sequence of events for negotiating the MTU under v2 is as follows:
1. The BMC initialises its binding, filling out the Rx and Tx buffer properties with the largest configuration it supports.
2. The host initialises its binding, writing its maximum Rx buffer size before sending `channel-init` to the BMC.
3. The BMC receives `channel-init`, negotiates protocol version 2 and then validates the host's proposed buffer configuration. If the proposed configuration is invalid (e.g. out-of-bounds values) the BMC terminates channel initialisation leaving the channel-active bit clear and writing the zero to the negotiated version field. If the proposal is valid, the BMC calculates the buffer sizes according to the available constraints and writes the chosen buffer configuration to the control region.
4. Assuming the version negotiation and buffer configuration are successful, the BMC sets `channel-active` and notifies the host
5. The host reads `channel-active`, accepts the negotiation of v2 and validates the buffer configuration. If the validation passes, then the buffer configuration is the configuration used for the remainder of the session. If validation fails then the host MUST NOT send MCTP packets via the LPC binding until a valid buffer configuration can be negotiated.
Change-Id: I89107593f220418d746c2d73771348ed8f7f3e87 Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
show more ...
|
4e8264b7 | 23-May-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Implement version negotiation
Binding version negotiation was previously left as a todo. With the upcoming efforts to introduce MTU negotiation we need to repurpose some of the fields in the
astlpc: Implement version negotiation
Binding version negotiation was previously left as a todo. With the upcoming efforts to introduce MTU negotiation we need to repurpose some of the fields in the control structure (in a backwards-compatible way), so make sure we can first negotiate the protocol version before proceeding to change the semantics of the fields.
Change-Id: Ibd2283987b8b60b3ab7ada667e2b507b4ac09034 Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
show more ...
|
979c6a16 | 23-May-2020 |
Andrew Jeffery <andrew@aj.id.au> |
astlpc: Remove redundant lpc_map_base member from context struct
We only make use of lpc_map once we've established where the structure lives in the LPC FW address space; there's no need to carry lp
astlpc: Remove redundant lpc_map_base member from context struct
We only make use of lpc_map once we've established where the structure lives in the LPC FW address space; there's no need to carry lpc_map_base around beyond this initial calculation.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au> Change-Id: Ib341643b936c10e386d67934a5d92fb59dd5b477
show more ...
|