esp: check dma length before reading scsi command(CVE-2016-4441)
[qemu/rayw.git] / tests / ipmi-kcs-test.c
blob42c4b974c58658676efb44e05024d5461e4d322e
1 /*
2 * IPMI KCS test cases, using the local interface.
4 * Copyright (c) 2012 Corey Minyard <cminyard@mvista.com>
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
25 #include "qemu/osdep.h"
27 #include <glib.h>
29 #include "libqtest.h"
31 #define IPMI_IRQ 5
33 #define IPMI_KCS_BASE 0xca2
35 #define IPMI_KCS_STATUS_ABORT 0x60
36 #define IPMI_KCS_CMD_WRITE_START 0x61
37 #define IPMI_KCS_CMD_WRITE_END 0x62
38 #define IPMI_KCS_CMD_READ 0x68
40 #define IPMI_KCS_ABORTED_BY_CMD 0x01
42 #define IPMI_KCS_CMDREG_GET_STATE() ((kcs_get_cmdreg() >> 6) & 3)
43 #define IPMI_KCS_STATE_IDLE 0
44 #define IPMI_KCS_STATE_READ 1
45 #define IPMI_KCS_STATE_WRITE 2
46 #define IPMI_KCS_STATE_ERROR 3
47 #define IPMI_KCS_CMDREG_GET_CD() ((kcs_get_cmdreg() >> 3) & 1)
48 #define IPMI_KCS_CMDREG_GET_ATN() ((kcs_get_cmdreg() >> 2) & 1)
49 #define IPMI_KCS_CMDREG_GET_IBF() ((kcs_get_cmdreg() >> 1) & 1)
50 #define IPMI_KCS_CMDREG_GET_OBF() ((kcs_get_cmdreg() >> 0) & 1)
52 static int kcs_ints_enabled;
54 static uint8_t kcs_get_cmdreg(void)
56 return inb(IPMI_KCS_BASE + 1);
59 static void kcs_write_cmdreg(uint8_t val)
61 outb(IPMI_KCS_BASE + 1, val);
64 static uint8_t kcs_get_datareg(void)
66 return inb(IPMI_KCS_BASE);
69 static void kcs_write_datareg(uint8_t val)
71 outb(IPMI_KCS_BASE, val);
74 static void kcs_wait_ibf(void)
76 unsigned int count = 1000;
77 while (IPMI_KCS_CMDREG_GET_IBF() != 0) {
78 g_assert(--count != 0);
82 static void kcs_wait_obf(void)
84 unsigned int count = 1000;
85 while (IPMI_KCS_CMDREG_GET_OBF() == 0) {
86 g_assert(--count != 0);
90 static void kcs_clear_obf(void)
92 if (kcs_ints_enabled) {
93 g_assert(get_irq(IPMI_IRQ));
94 } else {
95 g_assert(!get_irq(IPMI_IRQ));
97 g_assert(IPMI_KCS_CMDREG_GET_OBF() == 1);
98 kcs_get_datareg();
99 g_assert(IPMI_KCS_CMDREG_GET_OBF() == 0);
100 g_assert(!get_irq(IPMI_IRQ));
103 static void kcs_check_state(uint8_t state)
105 g_assert(IPMI_KCS_CMDREG_GET_STATE() == state);
108 static void kcs_cmd(uint8_t *cmd, unsigned int cmd_len,
109 uint8_t *rsp, unsigned int *rsp_len)
111 unsigned int i, j = 0;
113 /* Should be idle */
114 g_assert(kcs_get_cmdreg() == 0);
116 kcs_write_cmdreg(IPMI_KCS_CMD_WRITE_START);
117 kcs_wait_ibf();
118 kcs_check_state(IPMI_KCS_STATE_WRITE);
119 kcs_clear_obf();
120 for (i = 0; i < cmd_len; i++) {
121 kcs_write_datareg(cmd[i]);
122 kcs_wait_ibf();
123 kcs_check_state(IPMI_KCS_STATE_WRITE);
124 kcs_clear_obf();
126 kcs_write_cmdreg(IPMI_KCS_CMD_WRITE_END);
127 kcs_wait_ibf();
128 kcs_check_state(IPMI_KCS_STATE_WRITE);
129 kcs_clear_obf();
130 kcs_write_datareg(0);
131 next_read_byte:
132 kcs_wait_ibf();
133 switch (IPMI_KCS_CMDREG_GET_STATE()) {
134 case IPMI_KCS_STATE_READ:
135 kcs_wait_obf();
136 g_assert(j < *rsp_len);
137 rsp[j++] = kcs_get_datareg();
138 kcs_write_datareg(IPMI_KCS_CMD_READ);
139 goto next_read_byte;
140 break;
142 case IPMI_KCS_STATE_IDLE:
143 kcs_wait_obf();
144 kcs_get_datareg();
145 break;
147 default:
148 g_assert(0);
150 *rsp_len = j;
153 static void kcs_abort(uint8_t *cmd, unsigned int cmd_len,
154 uint8_t *rsp, unsigned int *rsp_len)
156 unsigned int i, j = 0;
157 unsigned int retries = 4;
159 /* Should be idle */
160 g_assert(kcs_get_cmdreg() == 0);
162 kcs_write_cmdreg(IPMI_KCS_CMD_WRITE_START);
163 kcs_wait_ibf();
164 kcs_check_state(IPMI_KCS_STATE_WRITE);
165 kcs_clear_obf();
166 for (i = 0; i < cmd_len; i++) {
167 kcs_write_datareg(cmd[i]);
168 kcs_wait_ibf();
169 kcs_check_state(IPMI_KCS_STATE_WRITE);
170 kcs_clear_obf();
172 kcs_write_cmdreg(IPMI_KCS_CMD_WRITE_END);
173 kcs_wait_ibf();
174 kcs_check_state(IPMI_KCS_STATE_WRITE);
175 kcs_clear_obf();
176 kcs_write_datareg(0);
177 kcs_wait_ibf();
178 switch (IPMI_KCS_CMDREG_GET_STATE()) {
179 case IPMI_KCS_STATE_READ:
180 kcs_wait_obf();
181 g_assert(j < *rsp_len);
182 rsp[j++] = kcs_get_datareg();
183 kcs_write_datareg(IPMI_KCS_CMD_READ);
184 break;
186 default:
187 g_assert(0);
190 /* Start the abort here */
191 retry_abort:
192 g_assert(retries > 0);
194 kcs_wait_ibf();
195 kcs_write_cmdreg(IPMI_KCS_STATUS_ABORT);
196 kcs_wait_ibf();
197 kcs_clear_obf();
198 kcs_write_datareg(0);
199 kcs_wait_ibf();
200 if (IPMI_KCS_CMDREG_GET_STATE() != IPMI_KCS_STATE_READ) {
201 retries--;
202 goto retry_abort;
204 kcs_wait_obf();
205 rsp[0] = kcs_get_datareg();
206 kcs_write_datareg(IPMI_KCS_CMD_READ);
207 kcs_wait_ibf();
208 if (IPMI_KCS_CMDREG_GET_STATE() != IPMI_KCS_STATE_IDLE) {
209 retries--;
210 goto retry_abort;
212 kcs_wait_obf();
213 kcs_clear_obf();
215 *rsp_len = j;
219 static uint8_t get_dev_id_cmd[] = { 0x18, 0x01 };
220 static uint8_t get_dev_id_rsp[] = { 0x1c, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00,
221 0x02, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00 };
224 * Send a get_device_id to do a basic test.
226 static void test_kcs_base(void)
228 uint8_t rsp[20];
229 unsigned int rsplen = sizeof(rsp);
231 kcs_cmd(get_dev_id_cmd, sizeof(get_dev_id_cmd), rsp, &rsplen);
232 g_assert(rsplen == sizeof(get_dev_id_rsp));
233 g_assert(memcmp(get_dev_id_rsp, rsp, rsplen) == 0);
237 * Abort a kcs operation while reading
239 static void test_kcs_abort(void)
241 uint8_t rsp[20];
242 unsigned int rsplen = sizeof(rsp);
244 kcs_abort(get_dev_id_cmd, sizeof(get_dev_id_cmd), rsp, &rsplen);
245 g_assert(rsp[0] == IPMI_KCS_ABORTED_BY_CMD);
248 static uint8_t set_bmc_globals_cmd[] = { 0x18, 0x2e, 0x0f };
249 static uint8_t set_bmc_globals_rsp[] = { 0x1c, 0x2e, 0x00 };
252 * Enable interrupts
254 static void test_enable_irq(void)
256 uint8_t rsp[20];
257 unsigned int rsplen = sizeof(rsp);
259 kcs_cmd(set_bmc_globals_cmd, sizeof(set_bmc_globals_cmd), rsp, &rsplen);
260 g_assert(rsplen == sizeof(set_bmc_globals_rsp));
261 g_assert(memcmp(set_bmc_globals_rsp, rsp, rsplen) == 0);
262 kcs_ints_enabled = 1;
265 int main(int argc, char **argv)
267 const char *arch = qtest_get_arch();
268 char *cmdline;
269 int ret;
271 /* Check architecture */
272 if (strcmp(arch, "i386") && strcmp(arch, "x86_64")) {
273 g_test_message("Skipping test for non-x86\n");
274 return 0;
277 /* Run the tests */
278 g_test_init(&argc, &argv, NULL);
280 cmdline = g_strdup_printf("-vnc none -device ipmi-bmc-sim,id=bmc0"
281 " -device isa-ipmi-kcs,bmc=bmc0");
282 qtest_start(cmdline);
283 qtest_irq_intercept_in(global_qtest, "ioapic");
284 qtest_add_func("/ipmi/local/kcs_base", test_kcs_base);
285 qtest_add_func("/ipmi/local/kcs_abort", test_kcs_abort);
286 qtest_add_func("/ipmi/local/kcs_enable_irq", test_enable_irq);
287 qtest_add_func("/ipmi/local/kcs_base_irq", test_kcs_base);
288 qtest_add_func("/ipmi/local/kcs_abort_irq", test_kcs_abort);
289 ret = g_test_run();
290 qtest_quit(global_qtest);
292 return ret;