From: Avi Kivity <avi@redhat.com>
To: Amit Shah <amit.shah@redhat.com>
Cc: mst@redhat.com, quintela@redhat.com, qemu-devel@nongnu.org,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH 4/9] virtio-serial: Handle scatter-gather buffers for control messages
Date: Sat, 20 Mar 2010 09:40:50 +0200 [thread overview]
Message-ID: <4BA47C02.3000105@redhat.com> (raw)
In-Reply-To: <1268999926-29560-5-git-send-email-amit.shah@redhat.com>
On 03/19/2010 01:58 PM, Amit Shah wrote:
> Current control messages are small enough to not be split into multiple
> buffers but we could run into such a situation in the future or a
> malicious guest could cause such a situation.
>
> So handle the entire iov request for control messages.
>
> Also ensure the size of the control request is>= what we expect
> otherwise we risk accessing memory that we don't own.
>
> Signed-off-by: Amit Shah<amit.shah@redhat.com>
> CC: Avi Kivity<avi@redhat.com>
> Reported-by: Avi Kivity<avi@redhat.com>
> ---
> hw/virtio-serial-bus.c | 43 ++++++++++++++++++++++++++++++++++++++++---
> 1 files changed, 40 insertions(+), 3 deletions(-)
>
> diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
> index 830eb75..d5887ab 100644
> --- a/hw/virtio-serial-bus.c
> +++ b/hw/virtio-serial-bus.c
> @@ -200,7 +200,7 @@ size_t virtio_serial_guest_ready(VirtIOSerialPort *port)
> }
>
> /* Guest wants to notify us of some event */
> -static void handle_control_message(VirtIOSerial *vser, void *buf)
> +static void handle_control_message(VirtIOSerial *vser, void *buf, size_t len)
> {
> struct VirtIOSerialPort *port;
> struct virtio_console_control cpkt, *gcpkt;
> @@ -208,6 +208,10 @@ static void handle_control_message(VirtIOSerial *vser, void *buf)
> size_t buffer_len;
>
> gcpkt = buf;
> + if (len< sizeof(cpkt)) {
> + /* The guest sent an invalid control packet */
> + return;
> + }
> port = find_port_by_id(vser, ldl_p(&gcpkt->id));
> if (!port)
> return;
> @@ -281,12 +285,45 @@ static void control_out(VirtIODevice *vdev, VirtQueue *vq)
> {
> VirtQueueElement elem;
> VirtIOSerial *vser;
> + uint8_t *buf;
> + size_t len;
>
> vser = DO_UPCAST(VirtIOSerial, vdev, vdev);
>
> + len = 0;
> + buf = NULL;
> while (virtqueue_pop(vq,&elem)) {
> - handle_control_message(vser, elem.out_sg[0].iov_base);
> - virtqueue_push(vq,&elem, elem.out_sg[0].iov_len);
> + unsigned int i;
> + size_t cur_len, offset;
> +
> + cur_len = 0;
> + for (i = 0; i< elem.out_num; i++) {
> + cur_len += elem.out_sg[i].iov_len;
> + }
> + /*
> + * Allocate a new buf only if we didn't have one previously or
> + * if the size of the buf differs
> + */
> + if (cur_len != len) {
> + if (len) {
> + qemu_free(buf);
> + }
> + buf = qemu_malloc(cur_len);
> + }
> +
> + offset = 0;
> + for (i = 0; i< elem.out_num; i++) {
> + memcpy(buf + offset, elem.out_sg[i].iov_base,
> + elem.out_sg[i].iov_len);
> + offset += elem.out_sg[i].iov_len;
> + }
> + len = cur_len;
> +
> + handle_control_message(vser, buf, len);
> + virtqueue_push(vq,&elem, len);
> + }
> + if (len) {
> + qemu_free(buf);
> }
> virtio_notify(vdev, vq);
> }
>
Isn't there some virtio function to linearize requests?
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
WARNING: multiple messages have this Message-ID (diff)
From: Avi Kivity <avi@redhat.com>
To: Amit Shah <amit.shah@redhat.com>
Cc: mst@redhat.com, quintela@redhat.com, kraxel@redhat.com,
qemu-devel@nongnu.org, virtualization@lists.linux-foundation.org
Subject: [Qemu-devel] Re: [PATCH 4/9] virtio-serial: Handle scatter-gather buffers for control messages
Date: Sat, 20 Mar 2010 09:40:50 +0200 [thread overview]
Message-ID: <4BA47C02.3000105@redhat.com> (raw)
In-Reply-To: <1268999926-29560-5-git-send-email-amit.shah@redhat.com>
On 03/19/2010 01:58 PM, Amit Shah wrote:
> Current control messages are small enough to not be split into multiple
> buffers but we could run into such a situation in the future or a
> malicious guest could cause such a situation.
>
> So handle the entire iov request for control messages.
>
> Also ensure the size of the control request is>= what we expect
> otherwise we risk accessing memory that we don't own.
>
> Signed-off-by: Amit Shah<amit.shah@redhat.com>
> CC: Avi Kivity<avi@redhat.com>
> Reported-by: Avi Kivity<avi@redhat.com>
> ---
> hw/virtio-serial-bus.c | 43 ++++++++++++++++++++++++++++++++++++++++---
> 1 files changed, 40 insertions(+), 3 deletions(-)
>
> diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
> index 830eb75..d5887ab 100644
> --- a/hw/virtio-serial-bus.c
> +++ b/hw/virtio-serial-bus.c
> @@ -200,7 +200,7 @@ size_t virtio_serial_guest_ready(VirtIOSerialPort *port)
> }
>
> /* Guest wants to notify us of some event */
> -static void handle_control_message(VirtIOSerial *vser, void *buf)
> +static void handle_control_message(VirtIOSerial *vser, void *buf, size_t len)
> {
> struct VirtIOSerialPort *port;
> struct virtio_console_control cpkt, *gcpkt;
> @@ -208,6 +208,10 @@ static void handle_control_message(VirtIOSerial *vser, void *buf)
> size_t buffer_len;
>
> gcpkt = buf;
> + if (len< sizeof(cpkt)) {
> + /* The guest sent an invalid control packet */
> + return;
> + }
> port = find_port_by_id(vser, ldl_p(&gcpkt->id));
> if (!port)
> return;
> @@ -281,12 +285,45 @@ static void control_out(VirtIODevice *vdev, VirtQueue *vq)
> {
> VirtQueueElement elem;
> VirtIOSerial *vser;
> + uint8_t *buf;
> + size_t len;
>
> vser = DO_UPCAST(VirtIOSerial, vdev, vdev);
>
> + len = 0;
> + buf = NULL;
> while (virtqueue_pop(vq,&elem)) {
> - handle_control_message(vser, elem.out_sg[0].iov_base);
> - virtqueue_push(vq,&elem, elem.out_sg[0].iov_len);
> + unsigned int i;
> + size_t cur_len, offset;
> +
> + cur_len = 0;
> + for (i = 0; i< elem.out_num; i++) {
> + cur_len += elem.out_sg[i].iov_len;
> + }
> + /*
> + * Allocate a new buf only if we didn't have one previously or
> + * if the size of the buf differs
> + */
> + if (cur_len != len) {
> + if (len) {
> + qemu_free(buf);
> + }
> + buf = qemu_malloc(cur_len);
> + }
> +
> + offset = 0;
> + for (i = 0; i< elem.out_num; i++) {
> + memcpy(buf + offset, elem.out_sg[i].iov_base,
> + elem.out_sg[i].iov_len);
> + offset += elem.out_sg[i].iov_len;
> + }
> + len = cur_len;
> +
> + handle_control_message(vser, buf, len);
> + virtqueue_push(vq,&elem, len);
> + }
> + if (len) {
> + qemu_free(buf);
> }
> virtio_notify(vdev, vq);
> }
>
Isn't there some virtio function to linearize requests?
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
next prev parent reply other threads:[~2010-03-20 7:40 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-19 11:58 [PATCH 0/9] virtio-serial fixes, ABI updates Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 1/9] virtio-serial-bus: save/load: Ensure target has enough ports Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 2/9] virtio-serial-bus: save/load: Ensure nr_ports on src and dest are same Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 3/9] virtio-serial: save/load: Ensure we have hot-plugged ports instantiated Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 4/9] virtio-serial: Handle scatter-gather buffers for control messages Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 5/9] virtio-serial: Handle scatter/gather input from the guest Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 6/9] virtio-serial: Remove redundant check for 0-sized write request Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 7/9] virtio-serial: Update copyright year to 2010 Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 8/9] virtio-serial-bus: Use a bitmap in virtio config space for active ports Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-19 11:58 ` [PATCH 9/9] virtio-serial-bus: Let the guest know of host connection changes after migration Amit Shah
2010-03-19 11:58 ` [Qemu-devel] " Amit Shah
2010-03-20 7:40 ` Avi Kivity [this message]
2010-03-20 7:40 ` [Qemu-devel] Re: [PATCH 4/9] virtio-serial: Handle scatter-gather buffers for control messages Avi Kivity
2010-03-22 5:18 ` Amit Shah
2010-03-22 5:18 ` Amit Shah
2010-03-23 15:51 ` Michael S. Tsirkin
2010-03-23 15:51 ` Michael S. Tsirkin
2010-03-23 16:15 ` Amit Shah
2010-03-23 16:15 ` Amit Shah
2010-03-23 16:23 ` Michael S. Tsirkin
2010-03-23 16:23 ` Michael S. Tsirkin
2010-03-21 13:47 ` [PATCH 0/9] virtio-serial fixes, ABI updates Michael S. Tsirkin
2010-03-21 13:47 ` [Qemu-devel] " Michael S. Tsirkin
2010-03-22 4:55 ` Amit Shah
2010-03-22 4:55 ` [Qemu-devel] " Amit Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA47C02.3000105@redhat.com \
--to=avi@redhat.com \
--cc=amit.shah@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.