From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Richard Henderson <rth@twiddle.net>,
qemu-stable@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>
Subject: [PULL 05/31] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
Date: Wed, 24 Jun 2020 06:50:22 -0400 [thread overview]
Message-ID: <20200624105048.375353-5-pbonzini@redhat.com> (raw)
In-Reply-To: <20200624104917.375143-1-pbonzini@redhat.com>
From: "Michael S. Tsirkin" <mst@redhat.com>
Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.
This is what devices seem to assume.
However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.
Naturally, this breaks a bunch of devices.
Revert to the documented behaviour.
Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200610134731.1514409-1-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
memory.c | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
diff --git a/memory.c b/memory.c
index 2f15a4b250..9200b20130 100644
--- a/memory.c
+++ b/memory.c
@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
bool is_write,
MemTxAttrs attrs)
{
- int access_size_min, access_size_max;
- int access_size, i;
-
- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ if (mr->ops->valid.accepts
+ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
return false;
}
- if (!mr->ops->valid.accepts) {
- return true;
- }
-
- access_size_min = mr->ops->valid.min_access_size;
- if (!mr->ops->valid.min_access_size) {
- access_size_min = 1;
+ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ return false;
}
- access_size_max = mr->ops->valid.max_access_size;
+ /* Treat zero as compatibility all valid */
if (!mr->ops->valid.max_access_size) {
- access_size_max = 4;
+ return true;
}
- access_size = MAX(MIN(size, access_size_max), access_size_min);
- for (i = 0; i < size; i += access_size) {
- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
- is_write, attrs)) {
- return false;
- }
+ if (size > mr->ops->valid.max_access_size
+ || size < mr->ops->valid.min_access_size) {
+ return false;
}
-
return true;
}
--
2.26.2
next prev parent reply other threads:[~2020-06-24 10:54 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-24 10:48 [PULL 00/31] Misc patches for 2020-06-24 Paolo Bonzini
2020-06-24 10:50 ` [PULL 01/31] kvm: support to get/set dirty log initial-all-set capability Paolo Bonzini
2020-06-24 10:50 ` [PULL 02/31] util/getauxval: Porting to FreeBSD getauxval feature Paolo Bonzini
2020-06-24 10:50 ` [PULL 03/31] libqos: usb-hcd-ehci: use 32-bit write for config register Paolo Bonzini
2020-06-24 10:50 ` [PULL 04/31] libqos: pci-pc: use 32-bit write for EJ register Paolo Bonzini
2020-06-24 10:50 ` Paolo Bonzini [this message]
2020-06-24 10:50 ` [PULL 06/31] replay: notify the main loop when there are no instructions Paolo Bonzini
2020-06-24 10:50 ` [PULL 07/31] replay: synchronize on every virtual timer callback Paolo Bonzini
2020-06-24 10:50 ` [PULL 08/31] configure: add libdaxctl support Paolo Bonzini
2020-06-24 10:50 ` [PULL 09/31] exec: fetch the alignment of Linux devdax pmem character device nodes Paolo Bonzini
2020-06-24 10:50 ` [PULL 10/31] docs/nvdimm: add description of alignment requirement of device dax Paolo Bonzini
2020-06-24 10:50 ` [PULL 11/31] hw/scsi/megasas: Fix possible out-of-bounds array access in tracepoints Paolo Bonzini
2020-06-24 10:50 ` [PULL 12/31] Makefile: Install qemu-[qmp/ga]-ref.* into the directory "interop" Paolo Bonzini
2020-06-24 10:50 ` [PULL 13/31] xen: Actually fix build without passthrough Paolo Bonzini
2020-06-24 10:50 ` [PULL 14/31] target/i386: reimplement f2xm1 using floatx80 operations Paolo Bonzini
2020-07-14 14:09 ` Laszlo Ersek
2020-06-24 10:50 ` [PULL 15/31] softfloat: merge floatx80_mod and floatx80_rem Paolo Bonzini
2020-06-24 10:50 ` [PULL 16/31] softfloat: fix floatx80 remainder pseudo-denormal check for zero Paolo Bonzini
2020-06-24 10:50 ` [PULL 17/31] softfloat: do not return pseudo-denormal from floatx80 remainder Paolo Bonzini
2020-06-24 10:50 ` [PULL 18/31] softfloat: do not set denominator high bit for " Paolo Bonzini
2020-06-24 10:50 ` [PULL 19/31] softfloat: return low bits of quotient from floatx80_modrem Paolo Bonzini
2020-06-24 10:50 ` [PULL 20/31] target/i386: reimplement fprem, fprem1 using floatx80 operations Paolo Bonzini
2020-06-24 10:50 ` [PULL 21/31] target/i386: reimplement fyl2xp1 " Paolo Bonzini
2020-06-24 10:50 ` [PULL 22/31] target/i386: reimplement fyl2x " Paolo Bonzini
2020-06-24 10:50 ` [PULL 23/31] target/i386: reimplement fpatan " Paolo Bonzini
2020-06-24 10:50 ` [PULL 24/31] target/i386: Add notes for versioned CPU models Paolo Bonzini
2020-06-24 10:50 ` [PULL 25/31] osdep: Make MIN/MAX evaluate arguments only once Paolo Bonzini
2020-06-24 12:13 ` Eric Blake
2020-06-24 12:21 ` Daniel P. Berrangé
2020-06-24 13:19 ` Philippe Mathieu-Daudé
2020-06-24 10:50 ` [PULL 26/31] numa: forbid '-numa node, mem' for 5.1 and newer machine types Paolo Bonzini
2020-06-24 10:50 ` [PULL 27/31] kvm: i386: allow TSC to differ by NTP correction bounds without TSC scaling Paolo Bonzini
2020-06-24 10:50 ` [PULL 28/31] hyperv: vmbus: Remove the 2nd IRQ Paolo Bonzini
2020-06-24 10:50 ` [PULL 29/31] vmport: move compat properties to hw_compat_5_0 Paolo Bonzini
2020-06-24 10:50 ` [PULL 30/31] ibex_uart: fix XOR-as-pow Paolo Bonzini
2020-06-24 10:50 ` [PULL 31/31] i386: Mask SVM features if nested SVM is disabled Paolo Bonzini
2020-06-24 11:29 ` [PULL 00/31] Misc patches for 2020-06-24 no-reply
2020-06-25 15:50 ` Peter Maydell
2020-06-25 16:33 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200624105048.375353-5-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).