Re: [Qemu-devel] [PATCH 2/4] exec: add wrapper for host pointer access

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	qemu-devel@nongnu.org, quintela@redhat.com
Subject: Re: [Qemu-devel] [PATCH 2/4] exec: add wrapper for host pointer access
Date: Mon, 17 Nov 2014 18:16:59 +0200	[thread overview]
Message-ID: <20141117161659.GA15235@redhat.com> (raw)
In-Reply-To: <20141117125944.GI2237@work-vm>

On Mon, Nov 17, 2014 at 12:59:44PM +0000, Dr. David Alan Gilbert wrote:
> * Michael S. Tsirkin (mst@redhat.com) wrote:
> > On Mon, Nov 17, 2014 at 10:58:53AM +0000, Dr. David Alan Gilbert wrote:
> > > * Michael S. Tsirkin (mst@redhat.com) wrote:
> > > > host pointer accesses force pointer math, let's
> > > > add a wrapper to make them safer.
> > > > 
> > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > > > ---
> > > >  include/exec/cpu-all.h |  5 +++++
> > > >  exec.c                 | 10 +++++-----
> > > >  2 files changed, 10 insertions(+), 5 deletions(-)
> > > > 
> > > > diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
> > > > index c085804..9d8d408 100644
> > > > --- a/include/exec/cpu-all.h
> > > > +++ b/include/exec/cpu-all.h
> > > > @@ -313,6 +313,11 @@ typedef struct RAMBlock {
> > > >      int fd;
> > > >  } RAMBlock;
> > > >  
> > > > +static inline void *ramblock_ptr(RAMBlock *block, ram_addr_t offset)
> > > > +{
> > > > +    return (char *)block->host + offset;
> > > > +}
> > > 
> > > I'm a bit surprised you don't need to pass a length to this to be able
> > > to tell how much you can access.
> > 
> > This is because at the moment all accesses only touch a single page.
> > Said assumption seems to be made all over the code, and won't
> > be easy to remove.
> > 
> > > >  typedef struct RAMList {
> > > >      QemuMutex mutex;
> > > >      /* Protected by the iothread lock.  */
> > > > diff --git a/exec.c b/exec.c
> > > > index ad5cf12..9648669 100644
> > > > --- a/exec.c
> > > > +++ b/exec.c
> > > > @@ -840,7 +840,7 @@ static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length)
> > > >  
> > > >      block = qemu_get_ram_block(start);
> > > >      assert(block == qemu_get_ram_block(end - 1));
> > > > -    start1 = (uintptr_t)block->host + (start - block->offset);
> > > > +    start1 = (uintptr_t)ramblock_ptr(block, start - block->offset);
> > > >      cpu_tlb_reset_dirty_all(start1, length);
> > > >  }
> > > >  
> > > > @@ -1500,7 +1500,7 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
> > > >      QTAILQ_FOREACH(block, &ram_list.blocks, next) {
> > > >          offset = addr - block->offset;
> > > >          if (offset < block->length) {
> > > > -            vaddr = block->host + offset;
> > > > +            vaddr = ramblock_ptr(block, offset);
> > > >              if (block->flags & RAM_PREALLOC) {
> > > >                  ;
> > > >              } else if (xen_enabled()) {
> > > > @@ -1551,7 +1551,7 @@ void *qemu_get_ram_block_host_ptr(ram_addr_t addr)
> > > >  {
> > > >      RAMBlock *block = qemu_get_ram_block(addr);
> > > >  
> > > > -    return block->host;
> > > > +    return ramblock_ptr(block, 0);
> > > >  }
> > > >  
> > > >  /* Return a host pointer to ram allocated with qemu_ram_alloc.
> > > > @@ -1578,7 +1578,7 @@ void *qemu_get_ram_ptr(ram_addr_t addr)
> > > >                  xen_map_cache(block->offset, block->length, 1);
> > > >          }
> > > >      }
> > > > -    return block->host + (addr - block->offset);
> > > > +    return ramblock_ptr(block, addr - block->offset);
> > > >  }
> > > 
> > > which then makes me wonder if all the uses of this are safe near the
> > > end of the block.
> > > 
> > > >  /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr
> > > > @@ -1597,7 +1597,7 @@ static void *qemu_ram_ptr_length(ram_addr_t addr, hwaddr *size)
> > > >              if (addr - block->offset < block->length) {
> > > >                  if (addr - block->offset + *size > block->length)
> > > >                      *size = block->length - addr + block->offset;
> > > > -                return block->host + (addr - block->offset);
> > > > +                return ramblock_ptr(block, addr - block->offset);
> > > >              }
> > > 
> > > but then this sounds like it's going to have partial duplication, it already looks
> > > like it's only going to succeed if it finds itself a block that the access fits
> > > in.
> > > 
> > > 
> > > Dave
> > 
> > Sorry, I don't really understand what you are saying here.
> 
> qemu_ram_ptr_length already does some checks, so using ramblock_ptr is duplicating
> some of that; not a big issue.
> 
> Dave

Yep.
Since the point is hardening, it's probably a good idea
to keep it simple - and data path shouldn't use ram_addr_t.


> > 
> > > >          }
> > > >  
> > > > -- 
> > > > MST
> > > > 
> > > --
> > > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
> --
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

next prev parent reply	other threads:[~2014-11-17 16:17 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-12  9:44 [Qemu-devel] [PATCH 0/4] migration: fix CVE-2014-7840 Michael S. Tsirkin
2014-11-12  9:44 ` [Qemu-devel] [PATCH 1/4] migration: fix parameter validation on ram load Michael S. Tsirkin
2014-11-12  9:49   ` Paolo Bonzini
2014-11-12  9:44 ` [Qemu-devel] [PATCH 2/4] exec: add wrapper for host pointer access Michael S. Tsirkin
2014-11-17 10:58   ` Dr. David Alan Gilbert
2014-11-17 11:36     ` Michael S. Tsirkin
2014-11-17 12:59       ` Dr. David Alan Gilbert
2014-11-17 16:16         ` Michael S. Tsirkin [this message]
2014-11-12  9:44 ` [Qemu-devel] [PATCH 3/4] cpu: assert host pointer offset within block Michael S. Tsirkin
2014-11-12  9:44 ` [Qemu-devel] [PATCH 4/4] cpu: verify that block->host is set Michael S. Tsirkin
2014-11-17  6:36 ` [Qemu-devel] [PATCH 0/4] migration: fix CVE-2014-7840 Amit Shah
2014-11-17 10:32   ` Michael S. Tsirkin
2014-11-17 10:38     ` Amit Shah
2014-11-17 10:52       ` Michael S. Tsirkin
2014-11-17 11:07         ` Amit Shah
2014-11-17 11:48           ` Michael S. Tsirkin
2014-11-17 12:20             ` Amit Shah
2014-11-17 12:36               ` Michael S. Tsirkin
2014-11-18  9:03                 ` Amit Shah
2014-11-18  9:01 ` Amit Shah
2014-11-18  9:11   ` Dr. David Alan Gilbert
2014-11-18  9:27   ` Michael S. Tsirkin
2014-11-18  9:32     ` Dr. David Alan Gilbert
2014-12-08 23:32 ` Amos Kong
2014-12-10  2:55 ` Amit Shah

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141117161659.GA15235@redhat.com \
    --to=mst@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=quintela@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).