From: Avi Kivity <avi@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>,
qemu-devel@nongnu.org, Blue Swirl <blauwirbel@gmail.com>
Subject: Re: [Qemu-devel] [PULL 0/3] 128-bit support for the memory API
Date: Mon, 31 Oct 2011 12:27:04 +0200 [thread overview]
Message-ID: <4EAE77F8.2050008@redhat.com> (raw)
In-Reply-To: <20111031003658.GC9698@truffala.fritz.box>
On 10/31/2011 02:36 AM, David Gibson wrote:
> >
> > There is no direct use of signed arithmetic in the API (just in the
> > implementation). Aliases can cause a region to move in either the
> > positive or negative direction, and this requires either signed
> > arithmetic or special casing the two directions.
>
> You keep saying we need signed arithmetic for this, but it's not
> really true. *If* you see aliases as shifting the entire aliases
> address space w.r.t., then just allowing a window to show through, you
> get negative offsets, yes, but that's by no means the only way t think
> about it.
Obviously it's not the only way. We could insert checks for the
direction, and for overflow/underflow. But I am looking for the most
reliable way to prevent similar issues from popping up. There have been
at least three bugs in this area.
If we can use a heavy hammer here, it is worthwhile IMO. Sorry for
being a little trollish, but I much prefer replacing function calls with
infix operators, than getting a CVE for some overflow.
> It's basically one spot - the alias handling in render_memory_region()
> - that generates a negative start intermediate. I'm convinced it's
> pretty straightforward to remove this - making a patch for it just
> hasn't bubbled to the top of my priority queue, though.
We keep adding, subtracting, and comparing stuff everywhere. I am
fairly certain that you are right and there are no other trouble spot,
but I am not absolutely sure, and I would like to be.
> > Signed arithmetic is not the only motivation - overflow is another.
> > Nothing prevents a user from placing a 64-bit 4k BAR at address
> > ffff_ffff_ffff_f000; we could move to base/limit representation, but
> > that will likely cause its own bugs. Finally, we should be able to
> > represent both a 0-sized region and a 2^64 sized region.
>
> Note that an (inclusive) start/end representation also cannot
> represent a 0 sized region.
Right. In theory we shouldn't generate zero sized regions, but can we
trust call device code not to do that?
Also, start/end or off-by-one size are easy to get wrong since C
programmers assume half-inclusive regions.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2011-10-31 10:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-30 14:02 [Qemu-devel] [PULL 0/3] 128-bit support for the memory API Avi Kivity
2011-10-30 14:02 ` [Qemu-devel] [PATCH 1/3] Add support for 128-bit arithmetic Avi Kivity
2011-10-30 14:02 ` [Qemu-devel] [PATCH 2/3] memory: use 128-bit integers for sizes and intermediates Avi Kivity
2011-10-30 14:02 ` [Qemu-devel] [PATCH 3/3] Adjust system and pci address spaces to full 64-bit Avi Kivity
2011-10-30 14:12 ` [Qemu-devel] [PULL 0/3] 128-bit support for the memory API Anthony Liguori
2011-10-30 14:19 ` Avi Kivity
2011-10-30 14:59 ` Blue Swirl
2011-10-30 15:10 ` Avi Kivity
2011-10-31 0:36 ` David Gibson
2011-10-31 10:27 ` Avi Kivity [this message]
2011-10-31 16:05 ` Anthony Liguori
2011-11-01 0:54 ` David Gibson
2011-11-01 8:43 ` Avi Kivity
2011-11-01 12:59 ` Anthony Liguori
2011-11-01 13:48 ` Andreas Färber
2011-11-02 10:17 ` Avi Kivity
2011-11-01 18:08 ` Anthony Liguori
2011-11-02 10:10 ` Avi Kivity
2011-11-03 13:09 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EAE77F8.2050008@redhat.com \
--to=avi@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=blauwirbel@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).