From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Qiuhao Li" <Qiuhao.Li@outlook.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Darren Kenny" <darren.kenny@oracle.com>,
"Bandan Das" <bsd@redhat.com>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Markus Armbruster" <armbru@redhat.com>,
"Akihiko Odaki" <akihiko.odaki@gmail.com>,
"Alexandre Ratchov" <alex@caoua.org>,
"Laurent Vivier" <lvivier@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>
Subject: [PULL 11/24] hw/usb/hcd-xhci: Check whether DMA accesses fail
Date: Tue, 27 Sep 2022 10:18:59 +0200 [thread overview]
Message-ID: <20220927081912.180983-12-kraxel@redhat.com> (raw)
In-Reply-To: <20220927081912.180983-1-kraxel@redhat.com>
From: Thomas Huth <thuth@redhat.com>
If a guest sets up bad descriptors, it could force QEMU to access
non-existing memory regions. Thus we should check the return value
of dma_memory_read/write() to make sure that these errors don't go
unnoticed.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220817160016.49752-1-thuth@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/hcd-xhci.c | 64 +++++++++++++++++++++++++++++++++++------------
1 file changed, 48 insertions(+), 16 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 3c48b58ddeb5..acd60b1a4904 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -463,6 +463,12 @@ static void xhci_mfwrap_timer(void *opaque)
xhci_mfwrap_update(xhci);
}
+static void xhci_die(XHCIState *xhci)
+{
+ xhci->usbsts |= USBSTS_HCE;
+ DPRINTF("xhci: asserted controller error\n");
+}
+
static inline dma_addr_t xhci_addr64(uint32_t low, uint32_t high)
{
if (sizeof(dma_addr_t) == 4) {
@@ -488,7 +494,14 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr,
assert((len % sizeof(uint32_t)) == 0);
- dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
+ if (dma_memory_read(xhci->as, addr, buf, len,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+ __func__);
+ memset(buf, 0xff, len);
+ xhci_die(xhci);
+ return;
+ }
for (i = 0; i < (len / sizeof(uint32_t)); i++) {
buf[i] = le32_to_cpu(buf[i]);
@@ -496,7 +509,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr,
}
static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr,
- uint32_t *buf, size_t len)
+ const uint32_t *buf, size_t len)
{
int i;
uint32_t tmp[5];
@@ -508,7 +521,13 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr,
for (i = 0; i < n; i++) {
tmp[i] = cpu_to_le32(buf[i]);
}
- dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED);
+ if (dma_memory_write(xhci->as, addr, tmp, len,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+ __func__);
+ xhci_die(xhci);
+ return;
+ }
}
static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport)
@@ -593,12 +612,6 @@ static inline int xhci_running(XHCIState *xhci)
return !(xhci->usbsts & USBSTS_HCH);
}
-static void xhci_die(XHCIState *xhci)
-{
- xhci->usbsts |= USBSTS_HCE;
- DPRINTF("xhci: asserted controller error\n");
-}
-
static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v)
{
XHCIInterrupter *intr = &xhci->intr[v];
@@ -619,7 +632,12 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v)
ev_trb.status, ev_trb.control);
addr = intr->er_start + TRB_SIZE*intr->er_ep_idx;
- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED);
+ if (dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+ __func__);
+ xhci_die(xhci);
+ }
intr->er_ep_idx++;
if (intr->er_ep_idx >= intr->er_size) {
@@ -680,8 +698,12 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
while (1) {
TRBType type;
- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE,
- MEMTXATTRS_UNSPECIFIED);
+ if (dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+ __func__);
+ return 0;
+ }
trb->addr = ring->dequeue;
trb->ccs = ring->ccs;
le64_to_cpus(&trb->parameter);
@@ -798,8 +820,14 @@ static void xhci_er_reset(XHCIState *xhci, int v)
xhci_die(xhci);
return;
}
- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg),
- MEMTXATTRS_UNSPECIFIED);
+ if (dma_memory_read(xhci->as, erstba, &seg, sizeof(seg),
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+ __func__);
+ xhci_die(xhci);
+ return;
+ }
+
le32_to_cpus(&seg.addr_low);
le32_to_cpus(&seg.addr_high);
le32_to_cpus(&seg.size);
@@ -2415,8 +2443,12 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx)
/* TODO: actually implement real values here */
bw_ctx[0] = 0;
memset(&bw_ctx[1], 80, xhci->numports); /* 80% */
- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx),
- MEMTXATTRS_UNSPECIFIED);
+ if (dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx),
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory write failed!\n",
+ __func__);
+ return CC_TRB_ERROR;
+ }
return CC_SUCCESS;
}
--
2.37.3
next prev parent reply other threads:[~2022-09-27 10:06 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-27 8:18 [PULL 00/24] Kraxel 20220927 patches Gerd Hoffmann
2022-09-27 8:18 ` [PULL 01/24] ui/console: Get tab completion working again in the SDL monitor vc Gerd Hoffmann
2022-09-27 8:18 ` [PULL 02/24] ui/cocoa: Run qemu_init in the main thread Gerd Hoffmann
2022-09-27 8:18 ` [PULL 03/24] Revert "main-loop: Disable block backend global state assertion on Cocoa" Gerd Hoffmann
2022-09-27 8:18 ` [PULL 04/24] meson: Allow to enable gtk and sdl while cocoa is enabled Gerd Hoffmann
2022-09-27 8:18 ` [PULL 05/24] ui: add some vdagent related traces Gerd Hoffmann
2022-09-27 8:18 ` [PULL 06/24] ui/clipboard: fix serial priority Gerd Hoffmann
2022-09-27 8:18 ` [PULL 07/24] ui/vdagent: always reset the clipboard serial on caps Gerd Hoffmann
2022-09-27 8:18 ` [PULL 08/24] ui/clipboard: reset the serial state on reset Gerd Hoffmann
2022-09-27 8:18 ` [PULL 09/24] ui/vdagent: fix serial reset of guest agent Gerd Hoffmann
2022-09-27 8:18 ` [PULL 10/24] ui/console: fix three double frees in png_save() Gerd Hoffmann
2022-09-27 8:18 ` Gerd Hoffmann [this message]
2022-09-27 8:19 ` [PULL 12/24] hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero Gerd Hoffmann
2022-09-27 8:19 ` [PULL 13/24] usb/msd: move usb_msd_packet_complete() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 14/24] usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert Gerd Hoffmann
2022-09-27 8:19 ` [PULL 15/24] hcd-xhci: drop operation with secondary stream arrays enabled Gerd Hoffmann
2022-09-27 8:19 ` [PULL 16/24] usbnet: Add missing usb_wakeup() call in usbnet_receive() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 17/24] usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request Gerd Hoffmann
2022-09-27 8:19 ` [PULL 18/24] usbnet: Detect short packets as sent by the xHCI controller Gerd Hoffmann
2022-09-27 8:19 ` [PULL 19/24] usbnet: Report link-up via interrupt endpoint in CDC-ECM mode Gerd Hoffmann
2022-09-27 8:19 ` [PULL 20/24] audio: Add sndio backend Gerd Hoffmann
2024-09-10 14:16 ` Philippe Mathieu-Daudé
2024-09-10 14:28 ` Daniel P. Berrangé
2024-09-10 14:57 ` Alexandre Ratchov
2024-09-13 8:04 ` Markus Armbruster
2024-10-22 9:06 ` Alexandre Ratchov
2024-10-23 3:39 ` Philippe Mathieu-Daudé
2022-09-27 8:19 ` [PULL 21/24] Revert "audio: Log context for audio bug" Gerd Hoffmann
2022-09-27 8:19 ` [PULL 22/24] audio: remove abort() in audio_bug() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 23/24] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Gerd Hoffmann
2022-09-27 8:19 ` [PULL 24/24] virtio-gpu: update scanout if there is any area covered by the rect Gerd Hoffmann
2022-09-27 15:04 ` [PULL 00/24] Kraxel 20220927 patches Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220927081912.180983-12-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=Qiuhao.Li@outlook.com \
--cc=akihiko.odaki@gmail.com \
--cc=alex@caoua.org \
--cc=alxndr@bu.edu \
--cc=armbru@redhat.com \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=eblake@redhat.com \
--cc=f4bug@amsat.org \
--cc=lvivier@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).