From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34534)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1ZEYI5-0002E9-Up
	for qemu-devel@nongnu.org; Mon, 13 Jul 2015 03:36:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1ZEYI1-0003Cd-M2
	for qemu-devel@nongnu.org; Mon, 13 Jul 2015 03:36:41 -0400
Received: from mx1.redhat.com ([209.132.183.28]:47639)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1ZEYI1-0003CZ-HS
	for qemu-devel@nongnu.org; Mon, 13 Jul 2015 03:36:37 -0400
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (Postfix) with ESMTPS id 22B17A10D2
	for <qemu-devel@nongnu.org>; Mon, 13 Jul 2015 07:36:37 +0000 (UTC)
Date: Mon, 13 Jul 2015 10:36:34 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20150713102533-mutt-send-email-mst@redhat.com>
References: <1436766411-29144-1-git-send-email-jasowang@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1436766411-29144-1-git-send-email-jasowang@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 1/5] virtio-pci: ignore unaligned
 read/write in virtio_address_space_read()/write()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jason Wang <jasowang@redhat.com>
Cc: qemu-devel@nongnu.org

On Mon, Jul 13, 2015 at 01:46:47PM +0800, Jason Wang wrote:
> We abort on unaligned read/write in
> virtio_address_space_read()/write() but since len in under control of
> guest so qemu will simply crash when booting a modern guest (guest is
> try to read when len is zero).
> read.

How can len be 0? Isn't this a guest bug? Or is this
a theoretical issue?

> Fix this by ignoring unaligned write or
> 
> Fixes 1e40356ce5f6ccfa0bb57104a533c62952c560ce
> ("virtio fix cfg endian-ness for BE targets")
> Signed-off-by: Jason Wang <jasowang@redhat.com>

I guess since we ignore some illegal values (e.g. > 4)
we should just whitelist the legal ones.
So the following looks like a slightly cleaner way to
make this change.

--->
virtio-pci: don't crash on illegal length

Some guests seem to access cfg with an illegal length value.
It's worth fixing them but debugging is easier if
qemu does not crash.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 6ca0258..c5e8cc0 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -546,7 +546,8 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
         off = le32_to_cpu(cfg->cap.offset);
         len = le32_to_cpu(cfg->cap.length);
 
-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
             virtio_address_space_write(&proxy->modern_as, off,
                                        cfg->pci_cfg_data, len);
         }
@@ -570,7 +571,8 @@ static uint32_t virtio_read_config(PCIDevice *pci_dev,
         off = le32_to_cpu(cfg->cap.offset);
         len = le32_to_cpu(cfg->cap.length);
 
-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
             virtio_address_space_read(&proxy->modern_as, off,
                                       cfg->pci_cfg_data, len);
         }