From: Eduardo Habkost <ehabkost@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: thomas.lendacky@amd.com, brijesh.singh@amd.com,
jejb@linux.ibm.com, tobin@ibm.com, qemu-devel@nongnu.org,
dgilbert@redhat.com, tobin@linux.ibm.com, berrange@redhat.com
Subject: Re: [PATCH v5] sev: add sev-inject-launch-secret
Date: Tue, 20 Oct 2020 09:54:44 -0400 [thread overview]
Message-ID: <20201020135444.GR5733@habkost.net> (raw)
In-Reply-To: <2f1be055-58c8-dcf8-debc-8956636d8ef8@redhat.com>
On Tue, Oct 20, 2020 at 11:03:51AM +0200, Paolo Bonzini wrote:
> On 15/10/20 16:37, tobin@linux.ibm.com wrote:
> > -static void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, Error **errp)
> > +void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error **errp)
> > {
> > MemoryRegionSection mrs = memory_region_find(get_system_memory(),
> > - addr, 1);
> > + addr, size);
>
> You need to check size against mrs.size and fail if mrs.size is smaller.
> Otherwise, the ioctl can access memory out of range.
Good catch! I'm dequeuing it.
Is there a reason memory_region_find() doesn't ensure that by
default?
It looks like there's only one memory_region_find() call in the
code that doesn't expect the returned section to contain the
entire range (at platform_bus_map_mmio()). All the remaining
memory_region_find() calls either have size==1 (so it doesn't
matter) or have an extra check for MemoryRegionSection.size.
The call at virtio_balloon_handle_output() looks suspicious,
though, because it looks for a BALLOON_PAGE_SIZE range, but
there's no check for the returned section size.
--
Eduardo
next prev parent reply other threads:[~2020-10-20 13:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-15 14:37 [PATCH v5] sev: add sev-inject-launch-secret tobin
2020-10-15 14:44 ` Brijesh Singh
2020-10-19 14:56 ` Eduardo Habkost
2020-10-19 16:46 ` Eduardo Habkost
2020-10-19 16:47 ` Eduardo Habkost
2020-10-19 21:21 ` Tobin Feldman-Fitzthum
2020-10-20 9:03 ` Paolo Bonzini
2020-10-20 13:54 ` Eduardo Habkost [this message]
2020-10-20 15:56 ` Paolo Bonzini
2020-10-20 21:33 ` Tobin Feldman-Fitzthum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201020135444.GR5733@habkost.net \
--to=ehabkost@redhat.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).