From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:32992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UZapM-0001Y5-Ey for qemu-devel@nongnu.org; Tue, 07 May 2013 01:52:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UZapL-0000Lg-3t for qemu-devel@nongnu.org; Tue, 07 May 2013 01:52:40 -0400 Received: from mx1.redhat.com ([209.132.183.28]:2236) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UZapK-0000Lb-SG for qemu-devel@nongnu.org; Tue, 07 May 2013 01:52:39 -0400 From: Jason Wang Date: Tue, 7 May 2013 13:42:49 +0800 Message-Id: <1367905369-10765-1-git-send-email-jasowang@redhat.com> Subject: [Qemu-devel] [PATCH V2] virtio: properly validate address before accessing config List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: aliguori@us.ibm.com, mst@redhat.com, qemu-devel@nongnu.org Cc: Jason Wang , Petr Matousek There are several several issues in the current checking: - The check was based on the minus of unsigned values which can overflow - It was done after .{set|get}_config() which can lead crash when config_len is zero since vdev->config is NULL Fix this by: - Validate the address in virtio_pci_config_{read|write}() before .{set|get}_config - Use addition instead minus to do the validation Cc: Michael S. Tsirkin Cc: Petr Matousek Signed-off-by: Jason Wang --- Changes from V1: - Doing check in virtio.c instead of virtio-pci.c - Drop the patch of virtio-ccw and s390-virtio-bus --- hw/virtio/virtio.c | 30 ++++++++++++++++++------------ 1 files changed, 18 insertions(+), 12 deletions(-) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 53a0d90..8176c14 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -568,10 +568,11 @@ uint32_t virtio_config_readb(VirtIODevice *vdev, uint32_t addr) VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev); uint8_t val; - k->get_config(vdev, vdev->config); - - if (addr > (vdev->config_len - sizeof(val))) + if (addr + sizeof(val) > vdev->config_len) { return (uint32_t)-1; + } + + k->get_config(vdev, vdev->config); val = ldub_p(vdev->config + addr); return val; @@ -582,10 +583,11 @@ uint32_t virtio_config_readw(VirtIODevice *vdev, uint32_t addr) VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev); uint16_t val; - k->get_config(vdev, vdev->config); - - if (addr > (vdev->config_len - sizeof(val))) + if (addr + sizeof(val) > vdev->config_len) { return (uint32_t)-1; + } + + k->get_config(vdev, vdev->config); val = lduw_p(vdev->config + addr); return val; @@ -596,10 +598,11 @@ uint32_t virtio_config_readl(VirtIODevice *vdev, uint32_t addr) VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev); uint32_t val; - k->get_config(vdev, vdev->config); - - if (addr > (vdev->config_len - sizeof(val))) + if (addr + sizeof(val) > vdev->config_len) { return (uint32_t)-1; + } + + k->get_config(vdev, vdev->config); val = ldl_p(vdev->config + addr); return val; @@ -610,8 +613,9 @@ void virtio_config_writeb(VirtIODevice *vdev, uint32_t addr, uint32_t data) VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev); uint8_t val = data; - if (addr > (vdev->config_len - sizeof(val))) + if (addr + sizeof(val) > vdev->config_len) { return; + } stb_p(vdev->config + addr, val); @@ -625,8 +629,9 @@ void virtio_config_writew(VirtIODevice *vdev, uint32_t addr, uint32_t data) VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev); uint16_t val = data; - if (addr > (vdev->config_len - sizeof(val))) + if (addr + sizeof(val) > vdev->config_len) { return; + } stw_p(vdev->config + addr, val); @@ -640,8 +645,9 @@ void virtio_config_writel(VirtIODevice *vdev, uint32_t addr, uint32_t data) VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev); uint32_t val = data; - if (addr > (vdev->config_len - sizeof(val))) + if (addr + sizeof(val) > vdev->config_len) { return; + } stl_p(vdev->config + addr, val); -- 1.7.1