From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org,
Akihiko Odaki <akihiko.odaki@daynix.com>,
Alexander Bulekov <alxndr@bu.edu>,
David Hildenbrand <david@redhat.com>
Subject: [PULL 02/62] softmmu: Use memmove in flatview_write_continue
Date: Tue, 28 Feb 2023 16:55:43 -1000 [thread overview]
Message-ID: <20230301025643.1227244-3-richard.henderson@linaro.org> (raw)
In-Reply-To: <20230301025643.1227244-1-richard.henderson@linaro.org>
From: Akihiko Odaki <akihiko.odaki@daynix.com>
We found a case where the source passed to flatview_write_continue() may
overlap with the destination when fuzzing igb, a new proposed network
device with sanitizers.
igb uses pci_dma_map() to get Tx packet, and pci_dma_write() to write Rx
buffer. While pci_dma_write() is usually used to write data from
memory not mapped to the guest, if igb is configured to perform
loopback, the data will be sourced from the guest memory. The source and
destination can overlap and the usage of memcpy() will be invalid in
such a case.
While we do not really have to deal with such an invalid request for
igb, detecting the overlap in igb code beforehand requires complex code,
and only covers this specific case. Instead, just replace memcpy() with
memmove() to tolerate overlaps. Using memmove() will slightly damage the
performance as it will need to check overlaps before using SIMD
instructions for copying, but the cost should be negligible, considering
the inherent complexity of flatview_write_continue().
The test cases generated by the fuzzer is available at:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
The fixed test case is:
fuzz/crash_47dfe62d9f911bf523ff48cd441b61c0013ed805
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Acked-by: David Hildenbrand <david@redhat.com>
Message-Id: <20230131030155.18932-1-akihiko.odaki@daynix.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
softmmu/physmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index df54b917a9..47143edb4f 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -2637,7 +2637,7 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
} else {
/* RAM case */
ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);
- memcpy(ram_ptr, buf, l);
+ memmove(ram_ptr, buf, l);
invalidate_and_set_dirty(mr, addr1, l);
}
--
2.34.1
next prev parent reply other threads:[~2023-03-01 2:57 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-01 2:55 [PULL 00/62] tcg patch queue Richard Henderson
2023-03-01 2:55 ` [PULL 01/62] exec/helper-head: Include missing "fpu/softfloat-types.h" header Richard Henderson
2023-03-01 2:55 ` Richard Henderson [this message]
2023-03-01 2:55 ` [PULL 03/62] accel/tcg: Add 'size' param to probe_access_flags() Richard Henderson
2023-03-01 2:55 ` [PULL 04/62] accel/tcg: Add 'size' param to probe_access_full Richard Henderson
2023-03-01 2:55 ` [PULL 05/62] include/exec: Introduce `CF_PCREL` Richard Henderson
2023-03-01 2:55 ` [PULL 06/62] target/i386: set `CF_PCREL` in `x86_cpu_realizefn` Richard Henderson
2023-03-01 2:55 ` [PULL 07/62] target/arm: set `CF_PCREL` in `arm_cpu_realizefn` Richard Henderson
2023-03-01 2:55 ` [PULL 08/62] accel/tcg: Replace `TARGET_TB_PCREL` with `CF_PCREL` Richard Henderson
2023-03-01 2:55 ` [PULL 09/62] include/exec: " Richard Henderson
2023-03-01 2:55 ` [PULL 10/62] target/arm: " Richard Henderson
2023-03-01 2:55 ` [PULL 11/62] target/i386: " Richard Henderson
2023-03-01 2:55 ` [PULL 12/62] include/exec: Remove `TARGET_TB_PCREL` define Richard Henderson
2023-03-01 2:55 ` [PULL 13/62] target/arm: " Richard Henderson
2023-03-01 2:55 ` [PULL 14/62] target/i386: " Richard Henderson
2023-03-01 2:55 ` [PULL 15/62] accel/tcg: Move jmp-cache `CF_PCREL` checks to caller Richard Henderson
2023-03-01 2:55 ` [PULL 16/62] accel/tcg: Replace `tb_pc()` with `tb->pc` Richard Henderson
2023-03-01 2:55 ` [PULL 17/62] target/tricore: " Richard Henderson
2023-03-01 2:55 ` [PULL 18/62] target/sparc: " Richard Henderson
2023-03-01 2:56 ` [PULL 19/62] target/sh4: " Richard Henderson
2023-03-01 2:56 ` [PULL 20/62] target/rx: " Richard Henderson
2023-03-01 2:56 ` [PULL 21/62] target/riscv: " Richard Henderson
2023-03-01 2:56 ` [PULL 22/62] target/openrisc: " Richard Henderson
2023-03-01 2:56 ` [PULL 23/62] target/mips: " Richard Henderson
2023-03-01 2:56 ` [PULL 24/62] target/microblaze: " Richard Henderson
2023-03-01 2:56 ` [PULL 25/62] target/loongarch: " Richard Henderson
2023-03-01 2:56 ` [PULL 26/62] target/i386: " Richard Henderson
2023-03-01 2:56 ` [PULL 27/62] target/hppa: " Richard Henderson
2023-03-01 2:56 ` [PULL 28/62] target/hexagon: " Richard Henderson
2023-03-01 2:56 ` [PULL 29/62] target/avr: " Richard Henderson
2023-03-01 2:56 ` [PULL 30/62] target/arm: " Richard Henderson
2023-03-01 2:56 ` [PULL 31/62] include/exec: Remove `tb_pc()` Richard Henderson
2023-03-01 2:56 ` [PULL 32/62] tcg: Adjust TCGContext.temps_in_use check Richard Henderson
2023-03-01 2:56 ` [PULL 33/62] accel/tcg: Pass max_insn to gen_intermediate_code by pointer Richard Henderson
2023-03-01 2:56 ` [PULL 34/62] accel/tcg: Use more accurate max_insns for tb_overflow Richard Henderson
2023-03-01 2:56 ` [PULL 35/62] tcg: Remove branch-to-next regardless of reference count Richard Henderson
2023-03-01 2:56 ` [PULL 36/62] tcg: Rename TEMP_LOCAL to TEMP_TB Richard Henderson
2023-03-01 2:56 ` [PULL 37/62] tcg: Use noinline for major tcg_gen_code subroutines Richard Henderson
2023-03-01 2:56 ` [PULL 38/62] tcg: Add liveness_pass_0 Richard Henderson
2023-03-01 2:56 ` [PULL 39/62] tcg: Remove TEMP_NORMAL Richard Henderson
2023-03-01 2:56 ` [PULL 40/62] tcg: Pass TCGTempKind to tcg_temp_new_internal Richard Henderson
2023-03-01 2:56 ` [PULL 41/62] tcg: Use tcg_constant_i32 in tcg_gen_io_start Richard Henderson
2023-03-01 2:56 ` [PULL 42/62] tcg: Add tcg_gen_movi_ptr Richard Henderson
2023-03-01 2:56 ` [PULL 43/62] tcg: Add tcg_temp_ebb_new_{i32,i64,ptr} Richard Henderson
2023-03-01 2:56 ` [PULL 44/62] tcg: Use tcg_temp_ebb_new_* in tcg/ Richard Henderson
2023-03-01 2:56 ` [PULL 45/62] tcg: Use tcg_constant_ptr in do_dup Richard Henderson
2023-03-01 2:56 ` [PULL 46/62] accel/tcg/plugin: Use tcg_temp_ebb_* Richard Henderson
2023-03-01 2:56 ` [PULL 47/62] accel/tcg/plugin: Tidy plugin_gen_disable_mem_helpers Richard Henderson
2023-03-01 2:56 ` [PULL 48/62] tcg: Don't re-use TEMP_TB temporaries Richard Henderson
2023-03-01 2:56 ` [PULL 49/62] tcg: Change default temp lifetime to TEMP_TB Richard Henderson
2023-03-01 2:56 ` [PULL 50/62] target/arm: Drop copies in gen_sve_{ldr,str} Richard Henderson
2023-03-01 2:56 ` [PULL 51/62] target/arm: Don't use tcg_temp_local_new_* Richard Henderson
2023-03-01 2:56 ` [PULL 52/62] target/cris: Don't use tcg_temp_local_new Richard Henderson
2023-03-01 2:56 ` [PULL 53/62] target/hexagon: Don't use tcg_temp_local_new_* Richard Henderson
2023-03-01 2:56 ` [PULL 54/62] target/hexagon/idef-parser: Drop gen_tmp_local Richard Henderson
2023-03-01 2:56 ` [PULL 55/62] target/hppa: Don't use tcg_temp_local_new Richard Henderson
2023-03-01 2:56 ` [PULL 56/62] target/i386: " Richard Henderson
2023-03-01 2:56 ` [PULL 57/62] target/mips: " Richard Henderson
2023-03-01 2:56 ` [PULL 58/62] target/ppc: " Richard Henderson
2023-03-01 2:56 ` [PULL 59/62] target/xtensa: Don't use tcg_temp_local_new_* Richard Henderson
2023-03-01 2:56 ` [PULL 60/62] exec/gen-icount: Don't use tcg_temp_local_new_i32 Richard Henderson
2023-03-01 2:56 ` [PULL 61/62] tcg: Remove tcg_temp_local_new_*, tcg_const_local_* Richard Henderson
2023-03-01 2:56 ` [PULL 62/62] tcg: Update docs/devel/tcg-ops.rst for temporary changes Richard Henderson
2023-03-01 11:07 ` [PULL 00/62] tcg patch queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230301025643.1227244-3-richard.henderson@linaro.org \
--to=richard.henderson@linaro.org \
--cc=akihiko.odaki@daynix.com \
--cc=alxndr@bu.edu \
--cc=david@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).