From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Anthony Liguori <anthony@codemonkey.ws>,
qemu-stable@nongnu.org, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
Dmitry Fleytman <dmitry@daynix.com>,
Paolo Bonzini <pbonzini@redhat.com>,
mdroth@linux.vnet.ibm.com
Subject: Re: [Qemu-devel] [PATCH v4 27/30] vmxnet3: validate interrupt indices coming from guest
Date: Thu, 3 Apr 2014 19:07:37 +0300 [thread overview]
Message-ID: <20140403160737.GA18418@redhat.com> (raw)
In-Reply-To: <20140401130752.GL2411@work-vm>
On Tue, Apr 01, 2014 at 02:07:52PM +0100, Dr. David Alan Gilbert wrote:
> * Dmitry Fleytman (dmitry@daynix.com) wrote:
> >
> > On Apr 1, 2014, at 14:33 PM, Dr. David Alan Gilbert <dgilbert@redhat.com> wrote:
> >
> > > * Michael S. Tsirkin (mst@redhat.com) wrote:
> > >> From: Dmitry Fleytman <dmitry@daynix.com>
> > >>
> > >> CVE-2013-4544
> > >>
> > >> Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
> > >> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> > >> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > >> ---
> > >> hw/net/vmxnet3.c | 36 ++++++++++++++++++++++++++++++++++--
> > >> 1 file changed, 34 insertions(+), 2 deletions(-)
> > >>
> > >> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> > >> index 5be807c..a4b5c11 100644
> > >> --- a/hw/net/vmxnet3.c
> > >> +++ b/hw/net/vmxnet3.c
> > >> @@ -52,6 +52,9 @@
> > >> #define VMXNET3_DEVICE_VERSION 0x1
> > >> #define VMXNET3_DEVICE_REVISION 0x1
> > >>
> > >> +/* Number of interrupt vectors for INTx/MSI */
> > >> +#define VMXNET3_MAX_NMSIX_INTRS (1)
> > >
> > > As per Dmitry's reply this is apparently the number of non-MSIX
> > > interrupts; can we change the comment to make this clear.
> >
> > Not sure how to change it.
> > There are three modes of operation:
> > 1. INTx - 1 interrupt is used
> > 2. MSI - 1 interrupt is used
> > 3. MSIx - up to 25 interrupts are used.
> >
> > This define covers 2 first modes of operation.
> > Would something like
> >
> > /* Number of interrupt vectors for non-MSIx modes */
> >
> > be better?
>
> Yes - that's fine.
>
> Dave
OK Dmitry, can you please resend patches with suggested comment changes?
> >
> >
> > >
> > >> +
> > >> /* Macros for rings descriptors access */
> > >> #define VMXNET3_READ_TX_QUEUE_DESCR8(dpa, field) \
> > >> (vmw_shmem_ld8(dpa + offsetof(struct Vmxnet3_TxQueueDesc, field)))
> > >> @@ -1305,6 +1308,34 @@ static bool vmxnet3_verify_intx(VMXNET3State *s, int intx)
> > >> (pci_get_byte(s->parent_obj.config + PCI_INTERRUPT_PIN) - 1));
> > >> }
> > >>
> > >> +static void vmxnet3_validate_interrupt_idx(bool is_msix, int idx)
> > >> +{
> > >> + int max_ints = is_msix ? VMXNET3_MAX_INTRS : VMXNET3_MAX_NMSIX_INTRS;
> > >> + if (idx >= max_ints) {
> > >> + hw_error("Bad interrupt index: %d\n", idx);
> > >> + }
> > >
> > > Can we avoid hw_error here, we're using in this in state load, so I'm
> > > OK at the thought of error_report, but then we should make
> > > this return a bool to say it's failed and bubble this up so
> > > that it just fails the post_load test like any other bad state load.
> > >
> > > Dave
> > >
> > >> +}
> > >> +
> > >> +static void vmxnet3_validate_interrupts(VMXNET3State *s)
> > >> +{
> > >> + int i;
> > >> +
> > >> + VMW_CFPRN("Verifying event interrupt index (%d)", s->event_int_idx);
> > >> + vmxnet3_validate_interrupt_idx(s->msix_used, s->event_int_idx);
> > >> +
> > >> + for (i = 0; i < s->txq_num; i++) {
> > >> + int idx = s->txq_descr[i].intr_idx;
> > >> + VMW_CFPRN("Verifying TX queue %d interrupt index (%d)", i, idx);
> > >> + vmxnet3_validate_interrupt_idx(s->msix_used, idx);
> > >> + }
> > >> +
> > >> + for (i = 0; i < s->rxq_num; i++) {
> > >> + int idx = s->rxq_descr[i].intr_idx;
> > >> + VMW_CFPRN("Verifying RX queue %d interrupt index (%d)", i, idx);
> > >> + vmxnet3_validate_interrupt_idx(s->msix_used, idx);
> > >> + }
> > >> +}
> > >> +
> > >> static void vmxnet3_activate_device(VMXNET3State *s)
> > >> {
> > >> int i;
> > >> @@ -1447,6 +1478,8 @@ static void vmxnet3_activate_device(VMXNET3State *s)
> > >> sizeof(s->rxq_descr[i].rxq_stats));
> > >> }
> > >>
> > >> + vmxnet3_validate_interrupts(s);
> > >> +
> > >> /* Make sure everything is in place before device activation */
> > >> smp_wmb();
> > >>
> > >> @@ -2005,7 +2038,6 @@ vmxnet3_cleanup_msix(VMXNET3State *s)
> > >> }
> > >> }
> > >>
> > >> -#define VMXNET3_MSI_NUM_VECTORS (1)
> > >> #define VMXNET3_MSI_OFFSET (0x50)
> > >> #define VMXNET3_USE_64BIT (true)
> > >> #define VMXNET3_PER_VECTOR_MASK (false)
> > >> @@ -2016,7 +2048,7 @@ vmxnet3_init_msi(VMXNET3State *s)
> > >> PCIDevice *d = PCI_DEVICE(s);
> > >> int res;
> > >>
> > >> - res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MSI_NUM_VECTORS,
> > >> + res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MAX_NMSIX_INTRS,
> > >> VMXNET3_USE_64BIT, VMXNET3_PER_VECTOR_MASK);
> > >> if (0 > res) {
> > >> VMW_WRPRN("Failed to initialize MSI, error %d", res);
> > >> --
> > >> MST
> > >>
> > > --
> > > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
> >
> --
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2014-04-03 16:07 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-31 14:15 [Qemu-devel] [PATCH v4 00/30] qemu state loading issues Michael S. Tsirkin
2014-03-31 14:15 ` [Qemu-devel] [PATCH v4 01/30] vmstate: reduce code duplication Michael S. Tsirkin
2014-03-31 15:01 ` Dr. David Alan Gilbert
2014-03-31 15:27 ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 02/30] vmstate: add VMS_MUST_EXIST Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 03/30] vmstate: add VMSTATE_VALIDATE Michael S. Tsirkin
2014-04-01 10:39 ` Dr. David Alan Gilbert
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load Michael S. Tsirkin
2014-03-31 17:21 ` Laszlo Ersek
2014-03-31 19:34 ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 05/30] virtio-net: out-of-bounds buffer write on load Michael S. Tsirkin
2014-04-01 8:45 ` Dr. David Alan Gilbert
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 07/30] virtio: " Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 08/30] ahci: fix buffer overrun " Michael S. Tsirkin
2014-03-31 15:31 ` Peter Maydell
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 09/30] hpet: " Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns " Michael S. Tsirkin
2014-04-01 10:56 ` Dr. David Alan Gilbert
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun " Michael S. Tsirkin
2014-03-31 15:04 ` Peter Maydell
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c Michael S. Tsirkin
2014-03-31 15:40 ` Peter Maydell
2014-04-01 15:12 ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-03-31 17:11 ` Dr. David Alan Gilbert
2014-03-31 20:49 ` Michael S. Tsirkin
2014-03-31 21:13 ` Peter Maydell
2014-04-01 15:19 ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2) Michael S. Tsirkin
2014-04-01 9:43 ` Dr. David Alan Gilbert
2014-04-01 10:05 ` Peter Maydell
2014-04-01 11:52 ` Peter Maydell
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3) Michael S. Tsirkin
2014-04-01 9:51 ` Dr. David Alan Gilbert
2014-04-01 10:06 ` Peter Maydell
2014-04-01 15:22 ` Michael S. Tsirkin
2014-04-01 15:56 ` Peter Maydell
2014-04-01 14:42 ` Eric Blake
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-03-31 16:09 ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 17/30] openpic: " Michael S. Tsirkin
2014-03-31 15:55 ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 18/30] virtio: validate num_sg when mapping Michael S. Tsirkin
2014-04-01 9:10 ` Amit Shah
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 19/30] pxa2xx: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-03-31 15:29 ` Peter Maydell
2014-03-31 17:26 ` Don Koch
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 20/30] ssi-sd: fix buffer overrun on invalid state load Michael S. Tsirkin
2014-03-31 15:44 ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 21/30] ssd0323: fix buffer overun " Michael S. Tsirkin
2014-03-31 15:35 ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 22/30] tsc210x: fix buffer overrun " Michael S. Tsirkin
2014-03-31 15:39 ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 23/30] zaurus: " Michael S. Tsirkin
2014-04-01 11:18 ` Dr. David Alan Gilbert
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 24/30] usb: sanity check setup_index+setup_len in post_load Michael S. Tsirkin
2014-03-31 15:48 ` Peter Maydell
2014-04-01 6:23 ` Gerd Hoffmann
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 25/30] virtio-scsi: fix buffer overrun on invalid state load Michael S. Tsirkin
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 26/30] savevm: fix potential segfault on invalid state Michael S. Tsirkin
2014-03-31 16:04 ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 27/30] vmxnet3: validate interrupt indices coming from guest Michael S. Tsirkin
2014-03-31 15:45 ` Dr. David Alan Gilbert
2014-04-01 9:54 ` Dmitry Fleytman
2014-04-01 10:03 ` Dr. David Alan Gilbert
2014-04-01 11:33 ` Dr. David Alan Gilbert
2014-04-01 13:04 ` Dmitry Fleytman
2014-04-01 13:07 ` Dr. David Alan Gilbert
2014-04-03 16:07 ` Michael S. Tsirkin [this message]
2014-04-04 9:47 ` Dmitry Fleytman
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 28/30] vmxnet3: validate interrupt indices read on migration Michael S. Tsirkin
2014-03-31 16:33 ` Dr. David Alan Gilbert
2014-03-31 19:38 ` Michael S. Tsirkin
2014-04-01 10:15 ` Dmitry Fleytman
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 29/30] vmxnet3: validate queues configuration coming from quest Michael S. Tsirkin
2014-03-31 15:48 ` Dr. David Alan Gilbert
2014-04-01 10:04 ` Dmitry Fleytman
2014-04-01 14:52 ` Michael S. Tsirkin
2014-04-01 18:40 ` Dmitry Fleytman
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 30/30] vmxnet3: validate queues configuration read on migration Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140403160737.GA18418@redhat.com \
--to=mst@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=dgilbert@redhat.com \
--cc=dmitry@daynix.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.