[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 05/31] memory: Revert "memory: accept mismatching sizes in memory_
From: |
Paolo Bonzini |
Subject: |
[PULL 05/31] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid" |
Date: |
Wed, 24 Jun 2020 06:50:22 -0400 |
From: "Michael S. Tsirkin" <mst@redhat.com>
Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.
This is what devices seem to assume.
However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.
Naturally, this breaks a bunch of devices.
Revert to the documented behaviour.
Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in
memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200610134731.1514409-1-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
memory.c | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
diff --git a/memory.c b/memory.c
index 2f15a4b250..9200b20130 100644
--- a/memory.c
+++ b/memory.c
@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
bool is_write,
MemTxAttrs attrs)
{
- int access_size_min, access_size_max;
- int access_size, i;
-
- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ if (mr->ops->valid.accepts
+ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
return false;
}
- if (!mr->ops->valid.accepts) {
- return true;
- }
-
- access_size_min = mr->ops->valid.min_access_size;
- if (!mr->ops->valid.min_access_size) {
- access_size_min = 1;
+ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ return false;
}
- access_size_max = mr->ops->valid.max_access_size;
+ /* Treat zero as compatibility all valid */
if (!mr->ops->valid.max_access_size) {
- access_size_max = 4;
+ return true;
}
- access_size = MAX(MIN(size, access_size_max), access_size_min);
- for (i = 0; i < size; i += access_size) {
- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
- is_write, attrs)) {
- return false;
- }
+ if (size > mr->ops->valid.max_access_size
+ || size < mr->ops->valid.min_access_size) {
+ return false;
}
-
return true;
}
--
2.26.2
- [PULL 00/31] Misc patches for 2020-06-24, Paolo Bonzini, 2020/06/24
- [PULL 01/31] kvm: support to get/set dirty log initial-all-set capability, Paolo Bonzini, 2020/06/24
- [PULL 02/31] util/getauxval: Porting to FreeBSD getauxval feature, Paolo Bonzini, 2020/06/24
- [PULL 03/31] libqos: usb-hcd-ehci: use 32-bit write for config register, Paolo Bonzini, 2020/06/24
- [PULL 04/31] libqos: pci-pc: use 32-bit write for EJ register, Paolo Bonzini, 2020/06/24
- [PULL 05/31] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid",
Paolo Bonzini <=
- [PULL 06/31] replay: notify the main loop when there are no instructions, Paolo Bonzini, 2020/06/24
- [PULL 09/31] exec: fetch the alignment of Linux devdax pmem character device nodes, Paolo Bonzini, 2020/06/24
- [PULL 13/31] xen: Actually fix build without passthrough, Paolo Bonzini, 2020/06/24
- [PULL 08/31] configure: add libdaxctl support, Paolo Bonzini, 2020/06/24
- [PULL 10/31] docs/nvdimm: add description of alignment requirement of device dax, Paolo Bonzini, 2020/06/24
- [PULL 11/31] hw/scsi/megasas: Fix possible out-of-bounds array access in tracepoints, Paolo Bonzini, 2020/06/24
- [PULL 15/31] softfloat: merge floatx80_mod and floatx80_rem, Paolo Bonzini, 2020/06/24
- [PULL 16/31] softfloat: fix floatx80 remainder pseudo-denormal check for zero, Paolo Bonzini, 2020/06/24
- [PULL 18/31] softfloat: do not set denominator high bit for floatx80 remainder, Paolo Bonzini, 2020/06/24
- [PULL 12/31] Makefile: Install qemu-[qmp/ga]-ref.* into the directory "interop", Paolo Bonzini, 2020/06/24