From: Laszlo Ersek <lersek@redhat.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: rth@twiddle.net, qemu-devel@nongnu.org, qemu-stable@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] exec: Fix non-power-of-2 sized accesses
Date: Fri, 16 Aug 2013 09:10:39 +0200 [thread overview]
Message-ID: <520DD06F.80005@redhat.com> (raw)
In-Reply-To: <20130816044811.3049.77085.stgit@bling.home>
On 08/16/13 06:55, Alex Williamson wrote:
> Since commit 23326164 we align access sizes to match the alignment of
> the address, but we don't align the access size itself. This means we
> let illegal access sizes (ex. 3) slip through if the address is
> sufficiently aligned (ex. 4). This results in an abort which would be
> easy for a guest to trigger. Account for aligning the access size.
>
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> Cc: qemu-stable@nongnu.org
> ---
>
> In the example I saw the guest was doing a 4-byte read at I/O port
> 0xcd7. We satisfy the first byte with a 1-byte read leaving 3 bytes
> remaining at an 8-byte aligned address... boom. ffs() caused weird
> stack smashing errors here, so I just did a loop since it can only
> run for a few iterations max.
>
> exec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/exec.c b/exec.c
> index 3ca9381..652fc3a 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1924,6 +1924,13 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
> }
> }
>
> + /* Size must be a power of 2 */
> + if (l & (l - 1)) {
> + while (l & (access_size_max - 1) && access_size_max > 1) {
> + access_size_max >>= 1;
> + }
> + }
> +
> /* Don't attempt accesses larger than the maximum. */
> if (l > access_size_max) {
> l = access_size_max;
>
>
Assuming that "access_size_max" is positive when reaching the code
you're adding (and it does seem positive at that point), you don't need
"&& access_size_max > 1". That expression won't be evaluated when it
would matter (ie. when access_size_max==1).
Anyway that's not a bug.
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
next prev parent reply other threads:[~2013-08-16 7:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-16 4:55 [Qemu-devel] [PATCH] exec: Fix non-power-of-2 sized accesses Alex Williamson
2013-08-16 7:10 ` Laszlo Ersek [this message]
2013-08-16 12:41 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=520DD06F.80005@redhat.com \
--to=lersek@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.