From: "Alex Bennée" <alex.bennee@linaro.org>
To: Anastasia Belova <abelova@astralinux.ru>
Cc: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>,
Peter Maydell <peter.maydell@linaro.org>,
sdl.qemu@linuxtesting.org, qemu-devel@nongnu.org
Subject: Re: [PATCH] hyperv: add check for NULL for msg
Date: Thu, 28 Sep 2023 17:56:05 +0100 [thread overview]
Message-ID: <87r0mip6yt.fsf@linaro.org> (raw)
In-Reply-To: <20230928132519.26266-1-abelova@astralinux.ru>
Anastasia Belova <abelova@astralinux.ru> writes:
> cpu_physical_memory_map may return NULL in hyperv_hcall_post_message.
> Add check for NULL to avoid NULL-dereference.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 76036a5fc7 ("hyperv: process POST_MESSAGE hypercall")
> Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
> ---
> hw/hyperv/hyperv.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
> index 57b402b956..61c65d7329 100644
> --- a/hw/hyperv/hyperv.c
> +++ b/hw/hyperv/hyperv.c
> @@ -588,7 +588,7 @@ uint16_t hyperv_hcall_post_message(uint64_t param, bool fast)
>
> len = sizeof(*msg);
> msg = cpu_physical_memory_map(param, &len, 0);
> - if (len < sizeof(*msg)) {
> + if (!msg || len < sizeof(*msg)) {
> ret = HV_STATUS_INSUFFICIENT_MEMORY;
> goto unmap;
What is the failure path that returns NULL but leaves len untouched? I
see in address_space_map():
if (!memory_access_is_direct(mr, is_write)) {
if (qatomic_xchg(&bounce.in_use, true)) {
*plen = 0;
return NULL;
}
and in qemu_ram_ptr_length:
if (*size == 0) {
return NULL;
}
but the other paths can't fail AFAICT.
That's not to say its a bad thing to verify the ptr before attempting a
de-reference but I would like to understand the failure mode.
As an aside it would also be nice to add (as a fresh commit) a kdoc
comment for cpu_physical_memory_map() that documents the API.
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
next prev parent reply other threads:[~2023-09-28 17:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-28 13:25 [PATCH] hyperv: add check for NULL for msg Anastasia Belova
2023-09-28 16:18 ` Maciej S. Szmigiero
2023-10-26 9:31 ` Анастасия Любимова
2023-10-26 9:58 ` Maciej S. Szmigiero
2023-09-28 16:56 ` Alex Bennée [this message]
2023-09-28 17:23 ` Maciej S. Szmigiero
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0mip6yt.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=abelova@astralinux.ru \
--cc=maciej.szmigiero@oracle.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=sdl.qemu@linuxtesting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.