From: David Woodhouse <dwmw2@infradead.org>
To: qemu-devel <qemu-devel@nongnu.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <richard.henderson@linaro.org>,
Eduardo Habkost <eduardo@habkost.net>,
Sergio Lopez <slp@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>
Subject: [PATCH] hw/i386/fw_cfg: Add etc/e820 to fw_cfg late
Date: Mon, 17 Jun 2024 14:46:40 +0100 [thread overview]
Message-ID: <3ce6d142356cb061b64d71a4e39525d9d7c52b12.camel@infradead.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 3937 bytes --]
From: David Woodhouse <dwmw@amazon.co.uk>
In e820_add_entry() the e820_table is reallocated with g_renew() to make
space for a new entry. However, fw_cfg_arch_create() just uses the existing
e820_table pointer.
This leads to a use-after-free if anything adds a new entry after fw_cfg
is set up. Shift the addition of the etc/e820 file to the machine done
notifier, and add a sanity check to ensure that e820_table isn't
modified after the pointer gets stashed.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
hw/i386/e820_memory_layout.c | 8 ++++++++
hw/i386/fw_cfg.c | 7 ++++---
hw/i386/microvm.c | 5 +++--
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/hw/i386/e820_memory_layout.c b/hw/i386/e820_memory_layout.c
index 06970ac44a..c96515909e 100644
--- a/hw/i386/e820_memory_layout.c
+++ b/hw/i386/e820_memory_layout.c
@@ -8,13 +8,20 @@
#include "qemu/osdep.h"
#include "qemu/bswap.h"
+#include "qemu/error-report.h"
#include "e820_memory_layout.h"
static size_t e820_entries;
struct e820_entry *e820_table;
+static gboolean e820_done;
int e820_add_entry(uint64_t address, uint64_t length, uint32_t type)
{
+ if (e820_done) {
+ warn_report("warning: E820 modified after being consumed");
+ return -1;
+ }
+
/* new "etc/e820" file -- include ram and reserved entries */
e820_table = g_renew(struct e820_entry, e820_table, e820_entries + 1);
e820_table[e820_entries].address = cpu_to_le64(address);
@@ -27,6 +34,7 @@ int e820_add_entry(uint64_t address, uint64_t length, uint32_t type)
int e820_get_num_entries(void)
{
+ e820_done = true;
return e820_entries;
}
diff --git a/hw/i386/fw_cfg.c b/hw/i386/fw_cfg.c
index 6e0d9945d0..e046ad1a54 100644
--- a/hw/i386/fw_cfg.c
+++ b/hw/i386/fw_cfg.c
@@ -102,6 +102,10 @@ void fw_cfg_build_smbios(PCMachineState *pcms, FWCfgState *fw_cfg,
smbios_anchor, smbios_anchor_len);
}
#endif
+
+ /* Add etc/e820 late, once all regions should be present */
+ fw_cfg_add_file(fw_cfg, "etc/e820", e820_table,
+ sizeof(struct e820_entry) * e820_get_num_entries());
}
FWCfgState *fw_cfg_arch_create(MachineState *ms,
@@ -139,9 +143,6 @@ FWCfgState *fw_cfg_arch_create(MachineState *ms,
#endif
fw_cfg_add_i32(fw_cfg, FW_CFG_IRQ0_OVERRIDE, 1);
- fw_cfg_add_file(fw_cfg, "etc/e820", e820_table,
- sizeof(struct e820_entry) * e820_get_num_entries());
-
fw_cfg_add_bytes(fw_cfg, FW_CFG_HPET, &hpet_cfg, sizeof(hpet_cfg));
/* allocate memory for the NUMA channel: one (64bit) word for the number
* of nodes, one word for each VCPU->node and one word for each node to
diff --git a/hw/i386/microvm.c b/hw/i386/microvm.c
index fec63cacfa..89b2abcebf 100644
--- a/hw/i386/microvm.c
+++ b/hw/i386/microvm.c
@@ -324,8 +324,6 @@ static void microvm_memory_init(MicrovmMachineState *mms)
fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, machine->smp.max_cpus);
fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE, (uint64_t)machine->ram_size);
fw_cfg_add_i32(fw_cfg, FW_CFG_IRQ0_OVERRIDE, 1);
- fw_cfg_add_file(fw_cfg, "etc/e820", e820_table,
- sizeof(struct e820_entry) * e820_get_num_entries());
rom_set_fw(fw_cfg);
@@ -586,9 +584,12 @@ static void microvm_machine_done(Notifier *notifier, void *data)
{
MicrovmMachineState *mms = container_of(notifier, MicrovmMachineState,
machine_done);
+ X86MachineState *x86ms = X86_MACHINE(mms);
acpi_setup_microvm(mms);
dt_setup_microvm(mms);
+ fw_cfg_add_file(x86ms->fw_cfg, "etc/e820", e820_table,
+ sizeof(struct e820_entry) * e820_get_num_entries());
}
static void microvm_powerdown_req(Notifier *notifier, void *data)
--
2.44.0
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5965 bytes --]
next reply other threads:[~2024-06-17 13:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-17 13:46 David Woodhouse [this message]
2024-06-17 14:15 ` [PATCH] hw/i386/fw_cfg: Add etc/e820 to fw_cfg late Peter Maydell
2024-06-17 14:36 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ce6d142356cb061b64d71a4e39525d9d7c52b12.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=eduardo@habkost.net \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=slp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).