From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42547) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aJ06S-0005uh-QS for qemu-devel@nongnu.org; Tue, 12 Jan 2016 09:39:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aJ06O-0001ri-IC for qemu-devel@nongnu.org; Tue, 12 Jan 2016 09:39:20 -0500 Received: from e06smtp07.uk.ibm.com ([195.75.94.103]:50222) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aJ06O-0001rR-8f for qemu-devel@nongnu.org; Tue, 12 Jan 2016 09:39:16 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 12 Jan 2016 14:39:13 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 36F021B0806E for ; Tue, 12 Jan 2016 14:39:13 +0000 (GMT) Received: from d06av08.portsmouth.uk.ibm.com (d06av08.portsmouth.uk.ibm.com [9.149.37.249]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u0CEdBFl8061368 for ; Tue, 12 Jan 2016 14:39:12 GMT Received: from d06av08.portsmouth.uk.ibm.com (localhost [127.0.0.1]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u0CEdBKF030434 for ; Tue, 12 Jan 2016 07:39:11 -0700 References: <1452009820-24968-1-git-send-email-pmorel@linux.vnet.ibm.com> <1452107285.29599.127.camel@redhat.com> From: Pierre Morel Message-ID: <5695100D.6040101@linux.vnet.ibm.com> Date: Tue, 12 Jan 2016 15:39:09 +0100 MIME-Version: 1.0 In-Reply-To: <1452107285.29599.127.camel@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2] vfio/common: Check iova with limit not with size List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Alex Williamson Cc: pbonzini@redhat.com, qemu-devel@nongnu.org, peter.maydell@linaro.org On 01/06/2016 08:08 PM, Alex Williamson wrote: > On Tue, 2016-01-05 at 17:03 +0100, Pierre Morel wrote: >> In vfio_listener_region_add(), the code makes sure >> that the offset in the section is lower than the size >> of the section. >> But the calculation uses size of the region instead of >> the region's limit (size - 1). > We're really just trying to validate that the region is not zero sized > and hasn't overflowed the addresses space. > >> This leads to Int128 overflow when the region has >> been initialized to UINT64_MAX because in this case >> memory_region_init() transform the size from UINT64_MAX >> to int128_2_64(). >> >> Let's really use the limit by sustracting one to the size >> and take care to use the limit for functions using limit >> and size to call functions which need size. >> >> Signed-off-by: Pierre Morel >> --- >> hw/vfio/common.c | 15 ++++++++++----- >> 1 files changed, 10 insertions(+), 5 deletions(-) >> >> diff --git a/hw/vfio/common.c b/hw/vfio/common.c >> index 6797208..fe4962a 100644 >> --- a/hw/vfio/common.c >> +++ b/hw/vfio/common.c >> @@ -342,18 +342,23 @@ static void vfio_listener_region_add(MemoryListener *listener, >> >> iova = TARGET_PAGE_ALIGN(section->offset_within_address_space); >> llend = int128_make64(section->offset_within_address_space); >> - llend = int128_add(llend, section->size); >> + >> + if (int128_ge(llend, int128_2_64())) { > We've just set llend using int128_make64, so this is guaranteed false. hum, sorry, indeed. > >> + llend = int128_add(llend, int128_sub(section->size, int128_one())); >> + } else { >> + llend = int128_add(llend, section->size); >> + } > So the above changed nothing. > >> llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK)); >> >> - if (int128_ge(int128_make64(iova), llend)) { >> + if (int128_gt(int128_make64(iova), llend)) { > And this allows zero sized regions through. > >> return; >> } >> end = int128_get64(llend); >> >> - if ((iova < container->min_iova) || ((end - 1) > container->max_iova)) { >> + if ((iova < container->min_iova) || (end > container->max_iova)) { >> error_report("vfio: IOMMU container %p can't map guest IOVA region" >> " 0x%"HWADDR_PRIx"..0x%"HWADDR_PRIx, >> - container, iova, end - 1); >> + container, iova, end); > This looks wrong too, max_iova is set to the last valid iova, for > instance if the iommu only supported a 4k address space, max_iova would > be 0xfff. A mapping of size 4k at offset 0 should work, but this > change would cause it to fail. > >> ret = -EFAULT; >> goto fail; >> } >> @@ -363,7 +368,7 @@ static void vfio_listener_region_add(MemoryListener *listener, >> if (memory_region_is_iommu(section->mr)) { >> VFIOGuestIOMMU *giommu; >> >> - trace_vfio_listener_region_add_iommu(iova, end - 1); >> + trace_vfio_listener_region_add_iommu(iova, end); >> /* >> * FIXME: We should do some checking to see if the >> * capabilities of the host VFIO IOMMU are adequate to model > I think maybe you want to set end using: > > end = int128_get64(int128_sub(llend, int128_one())); > > Then removing the -1 in other places becomes correct, BUT we need to > add 1 where we're passing the size, end - iova - > end - iova + 1. > Thanks, > > Alex > You are right, I try again. Pierre