From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58326)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1VAE8w-0004zs-BJ
	for qemu-devel@nongnu.org; Fri, 16 Aug 2013 03:08:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1VAE8r-0005ZQ-AB
	for qemu-devel@nongnu.org; Fri, 16 Aug 2013 03:08:18 -0400
Message-ID: <520DD06F.80005@redhat.com>
Date: Fri, 16 Aug 2013 09:10:39 +0200
From: Laszlo Ersek <lersek@redhat.com>
MIME-Version: 1.0
References: <20130816044811.3049.77085.stgit@bling.home>
In-Reply-To: <20130816044811.3049.77085.stgit@bling.home>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] exec: Fix non-power-of-2 sized accesses
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: rth@twiddle.net, qemu-devel@nongnu.org, qemu-stable@nongnu.org

On 08/16/13 06:55, Alex Williamson wrote:
> Since commit 23326164 we align access sizes to match the alignment of
> the address, but we don't align the access size itself.  This means we
> let illegal access sizes (ex. 3) slip through if the address is
> sufficiently aligned (ex. 4).  This results in an abort which would be
> easy for a guest to trigger.  Account for aligning the access size.
> 
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> Cc: qemu-stable@nongnu.org
> ---
> 
> In the example I saw the guest was doing a 4-byte read at I/O port
> 0xcd7.  We satisfy the first byte with a 1-byte read leaving 3 bytes
> remaining at an 8-byte aligned address... boom.  ffs() caused weird
> stack smashing errors here, so I just did a loop since it can only
> run for a few iterations max.
> 
>  exec.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/exec.c b/exec.c
> index 3ca9381..652fc3a 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1924,6 +1924,13 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>          }
>      }
>  
> +    /* Size must be a power of 2 */
> +    if (l & (l - 1)) {
> +        while (l & (access_size_max - 1) && access_size_max > 1) {
> +            access_size_max >>= 1;
> +        }
> +    }
> +
>      /* Don't attempt accesses larger than the maximum.  */
>      if (l > access_size_max) {
>          l = access_size_max;
> 
> 

Assuming that "access_size_max" is positive when reaching the code
you're adding (and it does seem positive at that point), you don't need
"&& access_size_max > 1". That expression won't be evaluated when it
would matter (ie. when access_size_max==1).

Anyway that's not a bug.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>