From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Igor Mammedov <imammedo@redhat.com>,
Ani Sinha <anisinha@redhat.com>
Subject: [PULL 66/68] hmat acpi: Fix out of bounds access due to missing use of indirection
Date: Tue, 12 Mar 2024 18:29:04 -0400 [thread overview]
Message-ID: <74e2845c5f95b0c139c79233ddb65bb17f2dd679.1710282274.git.mst@redhat.com> (raw)
In-Reply-To: <cover.1710282274.git.mst@redhat.com>
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.
Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.
Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth Information Structure(s)")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/acpi/hmat.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
index 8ea240878a..9b1662b6b8 100644
--- a/hw/acpi/hmat.c
+++ b/hw/acpi/hmat.c
@@ -78,6 +78,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
uint32_t *initiator_list)
{
int i, index;
+ uint32_t initiator_to_index[MAX_NODES] = {};
HMAT_LB_Data *lb_data;
uint16_t *entry_list;
uint32_t base;
@@ -121,6 +122,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
/* Initiator Proximity Domain List */
for (i = 0; i < num_initiator; i++) {
build_append_int_noprefix(table_data, initiator_list[i], 4);
+ /* Reverse mapping for array possitions */
+ initiator_to_index[initiator_list[i]] = i;
}
/* Target Proximity Domain List */
@@ -132,7 +135,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
entry_list = g_new0(uint16_t, num_initiator * num_target);
for (i = 0; i < hmat_lb->list->len; i++) {
lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
- index = lb_data->initiator * num_target + lb_data->target;
+ index = initiator_to_index[lb_data->initiator] * num_target +
+ lb_data->target;
entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
}
--
MST
next prev parent reply other threads:[~2024-03-12 22:41 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-12 22:25 [PULL 00/68] virtio,pc,pci: features, cleanups, fixes Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 01/68] vdpa: add back vhost_vdpa_net_first_nc_vdpa Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 02/68] vdpa: factor out vhost_vdpa_last_dev Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 03/68] vdpa: factor out vhost_vdpa_net_get_nc_vdpa Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 04/68] vdpa: add vhost_vdpa_set_address_space_id trace Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 05/68] vdpa: add vhost_vdpa_get_vring_base trace for svq mode Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 06/68] vdpa: add vhost_vdpa_set_dev_vring_base " Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 07/68] vdpa: add trace events for vhost_vdpa_net_load_cmd Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 08/68] vdpa: add trace event for vhost_vdpa_net_load_mq Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 09/68] vdpa: define SVQ transitioning state for mode switching Michael S. Tsirkin
2024-03-12 22:25 ` [PULL 10/68] vdpa: indicate transitional state for SVQ switching Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 11/68] vdpa: fix network breakage after cancelling migration Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 12/68] libvhost-user: Dynamically allocate memory for memory slots Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 13/68] libvhost-user: Bump up VHOST_USER_MAX_RAM_SLOTS to 509 Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 14/68] libvhost-user: Factor out removing all mem regions Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 15/68] libvhost-user: Merge vu_set_mem_table_exec_postcopy() into vu_set_mem_table_exec() Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 16/68] libvhost-user: Factor out adding a memory region Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 17/68] libvhost-user: No need to check for NULL when unmapping Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 18/68] libvhost-user: Don't zero out memory for memory regions Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 19/68] libvhost-user: Don't search for duplicates when removing " Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 20/68] libvhost-user: Factor out search for memory region by GPA and simplify Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 21/68] libvhost-user: Speedup gpa_to_mem_region() and vu_gpa_to_va() Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 22/68] libvhost-user: Use most of mmap_offset as fd_offset Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 23/68] libvhost-user: Factor out vq usability check Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 24/68] libvhost-user: Dynamically remap rings after (temporarily?) removing memory regions Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 25/68] libvhost-user: Mark mmap'ed region memory as MADV_DONTDUMP Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 26/68] pcie: Support PCIe Gen5/Gen6 link speeds Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 27/68] vdpa: stash memory region properties in vars Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 28/68] vdpa: trace skipped memory sections Michael S. Tsirkin
2024-03-12 22:26 ` [PULL 29/68] hw/pci-bridge/pxb-cxl: Drop RAS capability from host bridge Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 30/68] hw/audio/virtio-sound: return correct command response size Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 31/68] hw/virtio: check owner for removing objects Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 32/68] hw/virtio: Add support for VDPA network simulation devices Michael S. Tsirkin
2024-03-20 8:58 ` Paolo Bonzini
2024-03-20 13:12 ` Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 33/68] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config() Michael S. Tsirkin
2024-03-13 2:20 ` Zhao Liu
2024-03-12 22:27 ` [PULL 34/68] hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize() Michael S. Tsirkin
2024-03-13 2:23 ` Zhao Liu
2024-03-13 10:19 ` Philippe Mathieu-Daudé
2024-03-12 22:27 ` [PULL 35/68] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize() Michael S. Tsirkin
2024-03-13 2:25 ` Zhao Liu
2024-03-12 22:27 ` [PULL 36/68] hw/misc/xlnx-versal-trng: Check returned bool in trng_prop_fault_event_set() Michael S. Tsirkin
2024-03-13 2:26 ` Zhao Liu
2024-03-12 22:27 ` [PULL 37/68] hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in cxl_usp_realize() Michael S. Tsirkin
2024-03-13 2:28 ` Zhao Liu
2024-03-12 22:27 ` [PULL 38/68] hw/vfio/iommufd: Fix missing ERRP_GUARD() in iommufd_cdev_getfd() Michael S. Tsirkin
2024-03-13 2:39 ` Zhao Liu
2024-03-12 22:27 ` [PULL 39/68] hw/intc: Check @errp to handle the error of IOAPICCommonClass.realize() Michael S. Tsirkin
2024-03-13 2:37 ` Zhao Liu
2024-03-12 22:27 ` [PULL 40/68] Implement base of SMBIOS type 9 descriptor Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 41/68] Implement SMBIOS type 9 v2.6 Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 42/68] hw/nvme: Use pcie_sriov_num_vfs() Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 43/68] pcie_sriov: Validate NumVFs Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 44/68] pcie_sriov: Reset SR-IOV extended capability Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 45/68] pcie_sriov: Do not reset NumVFs after disabling VFs Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 46/68] hw/pci: Always call pcie_sriov_pf_reset() Michael S. Tsirkin
2024-03-12 22:27 ` [PULL 47/68] pc: q35: Bump max_cpus to 4096 vcpus Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 48/68] Revert "hw/i386/pc_sysfw: Inline pc_system_flash_create() and remove it" Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 49/68] Revert "hw/i386/pc: Confine system flash handling to pc_sysfw" Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 50/68] hw/i386/pc: Remove "rtc_state" link again Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 51/68] hw/i386/pc: Avoid one use of the current_machine global Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 52/68] hw/i386/pc: Set "normal" boot device order in pc_basic_device_init() Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 53/68] hw/i386/pc: Inline pc_cmos_init() into pc_cmos_init_late() and remove it Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 54/68] qom: new object to associate device to NUMA node Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 55/68] hw/acpi: Implement the SRAT GI affinity structure Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 56/68] hw/i386/acpi-build: Add support for SRAT Generic Initiator structures Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 57/68] virtio-iommu: Add a granule property Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 58/68] virtio-iommu: Change the default granule to the host page size Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 59/68] qemu-options.hx: Document the virtio-iommu-pci granule option Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 60/68] virtio-iommu: Trace domain range limits as unsigned int Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 61/68] virtio-iommu: Add an option to define the input range width Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 62/68] hw/i386/q35: Set virtio-iommu aw-bits default value to 39 Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 63/68] hw/arm/virt: Set virtio-iommu aw-bits default value to 48 Michael S. Tsirkin
2024-03-12 22:28 ` [PULL 64/68] qemu-options.hx: Document the virtio-iommu-pci aw-bits option Michael S. Tsirkin
2024-03-12 22:29 ` [PULL 65/68] hmat acpi: Do not add Memory Proximity Domain Attributes Structure targetting non existent memory Michael S. Tsirkin
2024-03-12 22:29 ` Michael S. Tsirkin [this message]
2024-03-12 22:29 ` [PULL 67/68] hw/cxl: Fix missing reserved data in CXL Device DVSEC Michael S. Tsirkin
2024-03-12 22:29 ` [PULL 68/68] docs/specs/pvpanic: document shutdown event Michael S. Tsirkin
2024-03-13 17:07 ` [PULL 00/68] virtio,pc,pci: features, cleanups, fixes Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74e2845c5f95b0c139c79233ddb65bb17f2dd679.1710282274.git.mst@redhat.com \
--to=mst@redhat.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=anisinha@redhat.com \
--cc=imammedo@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).