From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"David Hildenbrand" <david@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Raphael Norwitz" <raphael.norwitz@nutanix.com>
Subject: [PULL 08/32] libvhost-user: Add vu_rem_mem_reg input validation
Date: Fri, 4 Feb 2022 20:42:56 -0500 [thread overview]
Message-ID: <20220205014149.1189026-9-mst@redhat.com> (raw)
In-Reply-To: <20220205014149.1189026-1-mst@redhat.com>
From: Raphael Norwitz <raphael.norwitz@nutanix.com>
Today if multiple FDs are sent from the VMM to the backend in a
VHOST_USER_REM_MEM_REG message, one FD will be unmapped and the remaining
FDs will be leaked. Therefore if multiple FDs are sent we report an
error and fail the operation, closing all FDs in the message.
Likewise in case the VMM sends a message with a size less than that of a
memory region descriptor, we add a check to gracefully report an error
and fail the operation rather than crashing.
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Message-Id: <20220117041050.19718-2-raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
---
subprojects/libvhost-user/libvhost-user.h | 2 ++
subprojects/libvhost-user/libvhost-user.c | 15 +++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/subprojects/libvhost-user/libvhost-user.h b/subprojects/libvhost-user/libvhost-user.h
index 3d13dfadde..cde9f07bb3 100644
--- a/subprojects/libvhost-user/libvhost-user.h
+++ b/subprojects/libvhost-user/libvhost-user.h
@@ -129,6 +129,8 @@ typedef struct VhostUserMemoryRegion {
uint64_t mmap_offset;
} VhostUserMemoryRegion;
+#define VHOST_USER_MEM_REG_SIZE (sizeof(VhostUserMemoryRegion))
+
typedef struct VhostUserMemory {
uint32_t nregions;
uint32_t padding;
diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvhost-user/libvhost-user.c
index 787f4d2d4f..b09b1c269e 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -801,6 +801,21 @@ vu_rem_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
VuDevRegion shadow_regions[VHOST_USER_MAX_RAM_SLOTS] = {};
VhostUserMemoryRegion m = vmsg->payload.memreg.region, *msg_region = &m;
+ if (vmsg->fd_num != 1) {
+ vmsg_close_fds(vmsg);
+ vu_panic(dev, "VHOST_USER_REM_MEM_REG received %d fds - only 1 fd "
+ "should be sent for this message type", vmsg->fd_num);
+ return false;
+ }
+
+ if (vmsg->size < VHOST_USER_MEM_REG_SIZE) {
+ close(vmsg->fds[0]);
+ vu_panic(dev, "VHOST_USER_REM_MEM_REG requires a message size of at "
+ "least %d bytes and only %d bytes were received",
+ VHOST_USER_MEM_REG_SIZE, vmsg->size);
+ return false;
+ }
+
DPRINT("Removing region:\n");
DPRINT(" guest_phys_addr: 0x%016"PRIx64"\n",
msg_region->guest_phys_addr);
--
MST
next prev parent reply other threads:[~2022-02-05 2:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-05 1:42 [PULL 00/32] virtio,pc: features, cleanups, fixes Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 01/32] cpuid: use unsigned for max cpuid Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 02/32] hw/i386: Add the possibility to disable the 'isapc' machine Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 03/32] tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for test_oem_fields() test Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 04/32] tests: acpi: whitelist nvdimm's SSDT and FACP.slic expected blobs Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 05/32] acpi: fix OEM ID/OEM Table ID padding Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 06/32] tests: acpi: update expected blobs Michael S. Tsirkin
2022-02-05 1:42 ` [PULL 07/32] tests: acpi: test short OEM_ID/OEM_TABLE_ID values in test_oem_fields() Michael S. Tsirkin
2022-02-05 1:42 ` Michael S. Tsirkin [this message]
2022-02-05 1:42 ` [PULL 09/32] libvhost-user: Add vu_add_mem_reg input validation Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 10/32] libvhost-user: Simplify VHOST_USER_REM_MEM_REG Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 11/32] libvhost-user: fix VHOST_USER_REM_MEM_REG not closing the fd Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 12/32] libvhost-user: prevent over-running max RAM slots Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 13/32] libvhost-user: handle removal of identical regions Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 14/32] libvhost-user: Map shared RAM with MAP_NORESERVE to support virtio-mem with hugetlb Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 15/32] virtio: drop name parameter for virtio_init() Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 16/32] virtio: add vhost support for virtio devices Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 18/32] qmp: add QMP command x-query-virtio-status Michael S. Tsirkin
2022-02-05 1:45 ` Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 19/32] qmp: decode feature & status bits in virtio-status Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 22/32] hmp: add virtio commands Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 23/32] ACPI ERST: bios-tables-test.c steps 1 and 2 Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 24/32] ACPI ERST: PCI device_id for ERST Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 25/32] ACPI ERST: header file " Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 26/32] ACPI ERST: support for ACPI ERST feature Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 27/32] ACPI ERST: build the ACPI ERST table Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 28/32] ACPI ERST: create ACPI ERST table for pc/x86 machines Michael S. Tsirkin
2022-02-05 1:43 ` [PULL 29/32] ACPI ERST: qtest for ERST Michael S. Tsirkin
2022-02-05 1:44 ` [PULL 30/32] ACPI ERST: bios-tables-test testcase Michael S. Tsirkin
2022-02-05 1:44 ` [PULL 31/32] ACPI ERST: step 6 of bios-tables-test.c Michael S. Tsirkin
2022-02-05 1:44 ` [PULL 32/32] util/oslib-posix: Fix missing unlock in the error path of os_mem_prealloc() Michael S. Tsirkin
2022-02-05 1:44 ` [PULL 17/32] qmp: add QMP command x-query-virtio Michael S. Tsirkin
2022-02-05 1:44 ` [PULL 20/32] qmp: add QMP commands for virtio/vhost queue-status Michael S. Tsirkin
2022-02-05 1:45 ` [PULL 21/32] qmp: add QMP command x-query-virtio-queue-element Michael S. Tsirkin
2022-02-05 1:43 ` Michael S. Tsirkin
2022-02-05 11:07 ` [PULL 00/32] virtio,pc: features, cleanups, fixes Peter Maydell
2022-02-05 12:25 ` Michael S. Tsirkin
2022-02-05 13:31 ` Peter Maydell
2022-02-05 17:42 ` Michael S. Tsirkin
2022-02-05 21:05 ` Peter Maydell
2022-02-06 9:29 ` Michael S. Tsirkin
2022-02-06 10:44 ` Peter Maydell
2022-02-06 15:38 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220205014149.1189026-9-mst@redhat.com \
--to=mst@redhat.com \
--cc=david@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=raphael.norwitz@nutanix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).