From: "Marc Marí" <markmb@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Drew <drjones@redhat.com>, "Gabriel L. Somlo" <somlo@cmu.edu>,
QEMU Developers <qemu-devel@nongnu.org>,
Kevin O'Connor <kevin@koconnor.net>,
Gerd Hoffmann <kraxel@redhat.com>, Laszlo <lersek@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v4 3/7] Implement fw_cfg DMA interface
Date: Thu, 8 Oct 2015 12:01:42 +0200 [thread overview]
Message-ID: <20151008120142.285e46fb@markmb_rh> (raw)
In-Reply-To: <20151008090734.GB29433@stefanha-thinkpad.redhat.com>
On Thu, 8 Oct 2015 10:07:34 +0100
Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Tue, Oct 06, 2015 at 03:53:33PM +0100, Peter Maydell wrote:
> > On 6 October 2015 at 15:44, Stefan Hajnoczi <stefanha@gmail.com>
> > wrote:
> > > On Thu, Oct 01, 2015 at 02:16:55PM +0200, Marc Marí wrote:
> > >> @@ -292,6 +307,119 @@ static void fw_cfg_data_mem_write(void
> > >> *opaque, hwaddr addr, } while (i);
> > >> }
> > >>
> > >> +static void fw_cfg_dma_transfer(FWCfgState *s)
> > >> +{
> > >> + dma_addr_t len;
> > >> + FWCfgDmaAccess dma;
> > >> + int arch;
> > >> + FWCfgEntry *e;
> > >> + int read;
> > >> + dma_addr_t dma_addr;
> > >> +
> > >> + /* Reset the address before the next access */
> > >> + dma_addr = s->dma_addr;
> > >> + s->dma_addr = 0;
> > >> +
> > >> + dma.address = ldq_be_dma(s->dma_as,
> > >> + dma_addr + offsetof(FWCfgDmaAccess,
> > >> address));
> > >> + dma.length = ldl_be_dma(s->dma_as,
> > >> + dma_addr + offsetof(FWCfgDmaAccess,
> > >> length));
> > >> + dma.control = ldl_be_dma(s->dma_as,
> > >> + dma_addr + offsetof(FWCfgDmaAccess,
> > >> control));
> > >
> > > ldq_be_dma() doesn't report errors. If dma_addr is invalid the
> > > return value could be anything. Memory corruption inside the
> > > guest is possible if the address/length/control values happen to
> > > cause a memory read operation!
> >
> > We discussed this in a previous revision. IMHO if the guest has
> > passed us a bogus dma_addr it should expect memory corruption.
> > We only need to be sure we don't allow a VM escape.
>
> Even if the guest-visible behavior doesn't matter, Valgrind won't like
> this. ldq_be_dma() reads from uninitialized stack memory:
>
> #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \
> static inline uint##_bits##_t
> ld##_lname##_##_end##_dma(AddressSpace *as, \ dma_addr_t addr) \
> { \
> uint##_bits##_t
> val; \ dma_memory_read(as,
> addr, &val, (_bits) / 8); \ return
> _end##_bits##_to_cpu(val); \ }
>
> Bad QEMU, bad userspace process :).
>
> I think we really need to check the error and at least return early.
It doesn't hurt to check the error. I'll add it.
Thanks
Marc
> > > Instead, please use:
> > >
> > > if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) {
> > > stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess,
> > > control), FW_CFG_DMA_CTL_ERROR);
> >
> > If the guest handed us a bad dma_addr then this write will also
> > be bogus and could corrupt the guest's memory.
>
> That's fine because it's not a random address - it's the address that
> the guest gave us.
>
> Stefan
next prev parent reply other threads:[~2015-10-08 10:02 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 12:14 QEMU fw_cfg DMA interface Marc Marí
2015-10-01 12:14 ` [Qemu-devel] " Marc Marí
2015-10-01 12:14 ` Marc Marí
[not found] ` <1443701677-13629-1-git-send-email-markmb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-01 12:15 ` [PATCH v4] QEMU fw_cfg DMA interface documentation Marc Marí
2015-10-01 12:15 ` Marc Marí
[not found] ` <1443701732-13696-1-git-send-email-markmb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-05 8:20 ` Stefan Hajnoczi
2015-10-05 8:20 ` Stefan Hajnoczi
2015-10-05 10:06 ` Marc Marí
2015-10-05 10:11 ` Stefan Hajnoczi
2015-10-05 10:11 ` Stefan Hajnoczi
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 0/7] fw_cfg DMA interface Marc Marí
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 1/7] fw_cfg: document fw_cfg_modify_iXX() update functions Marc Marí
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 2/7] fw_cfg DMA interface documentation Marc Marí
2015-10-01 14:41 ` Laszlo Ersek
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 3/7] Implement fw_cfg DMA interface Marc Marí
2015-10-01 14:36 ` Laszlo Ersek
2015-10-01 15:52 ` Marc Marí
2015-10-01 17:18 ` Peter Maydell
2015-10-01 19:20 ` Laszlo Ersek
2015-10-06 14:44 ` Stefan Hajnoczi
2015-10-06 14:53 ` Peter Maydell
2015-10-08 9:07 ` Stefan Hajnoczi
2015-10-08 10:01 ` Marc Marí [this message]
2015-10-06 14:54 ` Marc Marí
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 4/7] Enable fw_cfg DMA interface for ARM Marc Marí
2015-10-01 14:42 ` Laszlo Ersek
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 5/7] Enable fw_cfg DMA interface for x86 Marc Marí
2015-10-01 14:48 ` Laszlo Ersek
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 6/7] Make the kernel image in the fw_cfg DMA interface bootable Marc Marí
2015-10-01 15:25 ` Laszlo Ersek
2015-10-01 16:02 ` Kevin O'Connor
2015-10-01 16:10 ` Laszlo Ersek
2015-10-01 18:15 ` Marc Marí
2015-10-02 8:16 ` Gerd Hoffmann
2015-10-02 8:24 ` Marc Marí
2015-10-02 9:01 ` Gerd Hoffmann
2015-10-02 11:47 ` Laszlo Ersek
2015-10-02 12:07 ` Gerd Hoffmann
2015-10-02 13:25 ` Laszlo Ersek
2015-10-02 13:30 ` Laszlo Ersek
2015-10-03 0:05 ` Jordan Justen
2015-10-02 13:38 ` Kevin O'Connor
2015-10-05 9:18 ` Gerd Hoffmann
2015-10-02 8:09 ` Gerd Hoffmann
2015-10-02 13:40 ` Kevin O'Connor
2015-10-02 13:50 ` Laszlo Ersek
2015-10-02 15:24 ` Daniel P. Berrange
2015-10-05 9:26 ` Gerd Hoffmann
2015-10-01 12:16 ` [Qemu-devel] [PATCH v4 7/7] fw_cfg: Define a static signature to be returned on DMA port reads Marc Marí
2015-10-01 16:07 ` Laszlo Ersek
2015-10-01 17:02 ` Kevin O'Connor
2015-10-01 17:17 ` Laszlo Ersek
2015-10-01 13:19 ` [Qemu-devel] [PATCH v4 0/7] fw_cfg DMA interface Kevin O'Connor
2015-10-01 16:03 ` [Qemu-devel] QEMU " Eric Blake
[not found] ` <560D5945.5050700-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-01 16:11 ` Eric Blake
2015-10-01 16:11 ` Eric Blake
2015-10-01 16:19 ` Laszlo Ersek
2015-10-01 16:17 ` Laszlo Ersek
2015-10-01 16:17 ` Laszlo Ersek
[not found] ` <560D5C7E.8080900-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-01 16:21 ` Eric Blake
2015-10-01 16:21 ` Eric Blake
2015-10-01 16:34 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151008120142.285e46fb@markmb_rh \
--to=markmb@redhat.com \
--cc=drjones@redhat.com \
--cc=kevin@koconnor.net \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=somlo@cmu.edu \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.