From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
qemu-stable@nongnu.org, Richard Henderson <rth@twiddle.net>
Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
Date: Wed, 10 Jun 2020 09:47:49 -0400 [thread overview]
Message-ID: <20200610134731.1514409-1-mst@redhat.com> (raw)
Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.
This is what devices seem to assume.
However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.
Naturally, this breaks a bunch of devices.
Revert to the documented behaviour.
Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
memory.c | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
diff --git a/memory.c b/memory.c
index 91ceaf9fcf..3e9388fb74 100644
--- a/memory.c
+++ b/memory.c
@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
bool is_write,
MemTxAttrs attrs)
{
- int access_size_min, access_size_max;
- int access_size, i;
+ if (mr->ops->valid.accepts
+ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ return false;
+ }
if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
return false;
}
- if (!mr->ops->valid.accepts) {
+ /* Treat zero as compatibility all valid */
+ if (!mr->ops->valid.max_access_size) {
return true;
}
- access_size_min = mr->ops->valid.min_access_size;
- if (!mr->ops->valid.min_access_size) {
- access_size_min = 1;
+ if (size > mr->ops->valid.max_access_size
+ || size < mr->ops->valid.min_access_size) {
+ return false;
}
-
- access_size_max = mr->ops->valid.max_access_size;
- if (!mr->ops->valid.max_access_size) {
- access_size_max = 4;
- }
-
- access_size = MAX(MIN(size, access_size_max), access_size_min);
- for (i = 0; i < size; i += access_size) {
- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
- is_write, attrs)) {
- return false;
- }
- }
-
return true;
}
--
MST
next reply other threads:[~2020-06-10 13:54 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-10 13:47 Michael S. Tsirkin [this message]
2020-06-10 13:54 ` [PATCH] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid" Michael S. Tsirkin
2020-06-12 16:51 ` Paolo Bonzini
[not found] ` <20200827053216.GA1515751@ubuntu-n2-xlarge-x86>
2020-08-27 15:53 ` Alistair Francis
2020-08-27 16:40 ` Nathan Chancellor
2020-08-30 6:20 ` Michael S. Tsirkin
2020-08-30 6:49 ` Nathan Chancellor
2020-08-30 7:24 ` Mark Cave-Ayland
2020-08-30 7:43 ` Nathan Chancellor
2020-08-30 9:21 ` Mark Cave-Ayland
2020-08-31 16:17 ` Alistair Francis
2020-08-31 16:08 ` Alistair Francis
2020-08-30 21:02 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200610134731.1514409-1-mst@redhat.com \
--to=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).