[PULL v2 30/30] Fixed assert in vhost_user_set_mem_table_postcopy

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Peter Turschmid <peter.turschm@nutanix.com>,
	Raphael Norwitz <raphael.norwitz@nutanix.com>
Subject: [PULL v2 30/30] Fixed assert in vhost_user_set_mem_table_postcopy
Date: Wed, 26 Feb 2020 04:08:04 -0500	[thread overview]
Message-ID: <20200226090010.708934-31-mst@redhat.com> (raw)
In-Reply-To: <20200226090010.708934-1-mst@redhat.com>

From: Raphael Norwitz <raphael.norwitz@nutanix.com>

The current vhost_user_set_mem_table_postcopy() implementation
populates each region of the VHOST_USER_SET_MEM_TABLE message without
first checking if there are more than VHOST_MEMORY_MAX_NREGIONS already
populated. This can cause memory corruption if too many regions are
added to the message during the postcopy step.

This change moves an existing assert up such that attempting to
construct a VHOST_USER_SET_MEM_TABLE message with too many memory
regions will gracefully bring down qemu instead of corrupting memory.

Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Message-Id: <1579143426-18305-2-git-send-email-raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/virtio/vhost-user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 35baf4f347..08e7e63790 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -443,6 +443,7 @@ static int vhost_user_set_mem_table_postcopy(struct vhost_dev *dev,
                                      &offset);
         fd = memory_region_get_fd(mr);
         if (fd > 0) {
+            assert(fd_num < VHOST_MEMORY_MAX_NREGIONS);
             trace_vhost_user_set_mem_table_withfd(fd_num, mr->name,
                                                   reg->memory_size,
                                                   reg->guest_phys_addr,
@@ -455,7 +456,6 @@ static int vhost_user_set_mem_table_postcopy(struct vhost_dev *dev,
             msg.payload.memory.regions[fd_num].guest_phys_addr =
                 reg->guest_phys_addr;
             msg.payload.memory.regions[fd_num].mmap_offset = offset;
-            assert(fd_num < VHOST_MEMORY_MAX_NREGIONS);
             fds[fd_num++] = fd;
         } else {
             u->region_rb_offset[i] = 0;
-- 
MST

next prev parent reply	other threads:[~2020-02-26  9:15 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-26  9:00 [PULL v2 00/30] virtio, pc: fixes, features Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 01/30] bios-tables-test: tell people how to update Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 02/30] bios-tables-test: fix up DIFF generation Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 03/30] bios-tables-test: default diff command Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 04/30] rebuild-expected-aml.sh: remind about the process Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 05/30] vhost-user-fs: do delete virtio_queues in unrealize Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 06/30] vhost-user-fs: convert to the new virtio_delete_queue function Michael S. Tsirkin
2020-02-26  9:01 ` [PULL v2 07/30] virtio-pmem: do delete rq_vq in virtio_pmem_unrealize Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 08/30] virtio-crypto: do delete ctrl_vq in virtio_crypto_device_unrealize Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 09/30] vhost-user-blk: delete virtioqueues in unrealize to fix memleaks Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 10/30] vhost-user-blk: convert to new virtio_delete_queue Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 11/30] virtio: gracefully handle invalid region caches Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 12/30] virtio-iommu: Add skeleton Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 13/30] virtio-iommu: Decode the command payload Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 14/30] virtio-iommu: Implement attach/detach command Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 15/30] virtio-iommu: Implement map/unmap Michael S. Tsirkin
2020-02-26  9:06 ` [PULL v2 16/30] virtio-iommu: Implement translate Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 17/30] virtio-iommu: Implement fault reporting Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 18/30] virtio-iommu: Support migration Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 19/30] virtio-iommu-pci: Add virtio iommu pci support Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 20/30] hw/arm/virt: Add the virtio-iommu device tree mappings Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 21/30] MAINTAINERS: add virtio-iommu related files Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 22/30] libvhost-user: implement VHOST_USER_PROTOCOL_F_REPLY_ACK Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 23/30] libvhost-user-glib: fix VugDev main fd cleanup Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 24/30] libvhost-user-glib: use g_main_context_get_thread_default() Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 25/30] libvhost-user: handle NOFD flag in call/kick/err better Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 26/30] docs: vhost-user: add in-band kick/call messages Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 27/30] libvhost-user: implement in-band notifications Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 28/30] acpi: cpuhp: document CPHP_GET_CPU_ID_CMD command Michael S. Tsirkin
2020-02-26  9:07 ` [PULL v2 29/30] vhost-user: only set slave channel for first vq Michael S. Tsirkin
2020-02-26  9:08 ` Michael S. Tsirkin [this message]
2020-02-27  8:54 ` [PULL v2 00/30] virtio, pc: fixes, features Michael S. Tsirkin
2020-02-27 19:56   ` Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:35baf4f34 dfblob:08e7e6379 )
 OR (
bs:"[PULL v2 30/30] Fixed assert in vhost_user_set_mem_table_postcopy" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200226090010.708934-31-mst@redhat.com \
    --to=mst@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=peter.turschm@nutanix.com \
    --cc=qemu-devel@nongnu.org \
    --cc=raphael.norwitz@nutanix.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).