From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36934) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VAC4g-0004AZ-Ln for qemu-devel@nongnu.org; Fri, 16 Aug 2013 00:55:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VAC4Z-0003Eb-8h for qemu-devel@nongnu.org; Fri, 16 Aug 2013 00:55:46 -0400 From: Alex Williamson Date: Thu, 15 Aug 2013 22:55:35 -0600 Message-ID: <20130816044811.3049.77085.stgit@bling.home> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] [PATCH] exec: Fix non-power-of-2 sized accesses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, rth@twiddle.net Since commit 23326164 we align access sizes to match the alignment of the address, but we don't align the access size itself. This means we let illegal access sizes (ex. 3) slip through if the address is sufficiently aligned (ex. 4). This results in an abort which would be easy for a guest to trigger. Account for aligning the access size. Signed-off-by: Alex Williamson Cc: qemu-stable@nongnu.org --- In the example I saw the guest was doing a 4-byte read at I/O port 0xcd7. We satisfy the first byte with a 1-byte read leaving 3 bytes remaining at an 8-byte aligned address... boom. ffs() caused weird stack smashing errors here, so I just did a loop since it can only run for a few iterations max. exec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/exec.c b/exec.c index 3ca9381..652fc3a 100644 --- a/exec.c +++ b/exec.c @@ -1924,6 +1924,13 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr) } } + /* Size must be a power of 2 */ + if (l & (l - 1)) { + while (l & (access_size_max - 1) && access_size_max > 1) { + access_size_max >>= 1; + } + } + /* Don't attempt accesses larger than the maximum. */ if (l > access_size_max) { l = access_size_max;