[Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes

[Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes

[Cornelia Huck]

Hi,

here's what I have pending for 2.3. Paolo noticed two small problems,
and I realized we have some bugs wrt accessing virtqueue indices
when I reviewed Jason's support for more virtqueues patchset.

I'm planning on sending a pull request on monday.

Cornelia Huck (3):
  virtio-ccw: fix range check for SET_VQ
  virtio-ccw: range check in READ_VQ_CONF
  s390x/ipl: avoid sign extension

Paolo Bonzini (1):
  s390x: do not include ram_addr.h

 hw/s390x/ipl.c        | 3 +--
 hw/s390x/virtio-ccw.c | 6 +++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

-- 
2.3.4

[Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ

[Cornelia Huck]

VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/virtio-ccw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 130535c..ceb6a45 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
 {
     VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
 
-    if (index > VIRTIO_PCI_QUEUE_MAX) {
+    if (index >= VIRTIO_PCI_QUEUE_MAX) {
         return -EINVAL;
     }
 
-- 
2.3.4

[Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF

[Cornelia Huck]

Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/virtio-ccw.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index ceb6a45..d32ecaf 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
             ret = -EFAULT;
         } else {
             vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
+            if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
+                ret = -EINVAL;
+                break;
+            }
             vq_config.num_max = virtio_queue_get_num(vdev,
                                                      vq_config.index);
             stw_be_phys(&address_space_memory,
-- 
2.3.4

[Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h

[Cornelia Huck]

From: Paolo Bonzini <pbonzini@redhat.com>

ram_addr.h is an internal interface and it is not needed anyway by
hw/s390x/ipl.c.

Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/ipl.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 54d0835..5c86613 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -14,7 +14,6 @@
 #include "sysemu/sysemu.h"
 #include "cpu.h"
 #include "elf.h"
-#include "exec/ram_addr.h"
 #include "hw/loader.h"
 #include "hw/sysbus.h"
 #include "hw/s390x/virtio-ccw.h"
-- 
2.3.4

[Qemu-devel] [PATCH for-2.3 4/4] s390x/ipl: avoid sign extension

[Cornelia Huck]

Make s390_update_iplstate() return uint32_t to avoid sign extensions
for cssids > 127. While this doesn't matter in practice yet (as
nobody supports MCSS-E and thus won't see the real cssid), play safe.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jason J. Herne <jjherne@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/ipl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 5c86613..2e26d2a 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -218,7 +218,7 @@ static Property s390_ipl_properties[] = {
  * - -1 if no valid boot device was found
  * - ccw id of the boot device otherwise
  */
-static uint64_t s390_update_iplstate(CPUS390XState *env, S390IPLState *ipl)
+static uint32_t s390_update_iplstate(CPUS390XState *env, S390IPLState *ipl)
 {
     DeviceState *dev_st;
 
-- 
2.3.4

Re: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ

[Christian Borntraeger]

Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
> 
> Cc: qemu-stable@nongnu.org
> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>

> ---
>  hw/s390x/virtio-ccw.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
>  {
>      VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
> 
> -    if (index > VIRTIO_PCI_QUEUE_MAX) {
> +    if (index >= VIRTIO_PCI_QUEUE_MAX) {
>          return -EINVAL;
>      }
> 

Re: [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF

[Christian Borntraeger]

Am 26.03.2015 um 16:36 schrieb Cornelia Huck:
> Processing for READ_VQ_CONF needs to check whether the requested queue
> value is actually in the supported range and post a channel program
> check if not.
> 
> Cc: qemu-stable@nongnu.org
> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>

> ---
>  hw/s390x/virtio-ccw.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index ceb6a45..d32ecaf 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
>              ret = -EFAULT;
>          } else {
>              vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
> +            if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
> +                ret = -EINVAL;
> +                break;
> +            }
>              vq_config.num_max = virtio_queue_get_num(vdev,
>                                                       vq_config.index);
>              stw_be_phys(&address_space_memory,
> 

Re: [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h

[Thomas Huth]

Am Thu, 26 Mar 2015 16:36:01 +0100
schrieb Cornelia Huck <cornelia.huck@de.ibm.com>:

> From: Paolo Bonzini <pbonzini@redhat.com>
> 
> ram_addr.h is an internal interface and it is not needed anyway by
> hw/s390x/ipl.c.
> 
> Cc: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com>
> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
> ---
>  hw/s390x/ipl.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
> index 54d0835..5c86613 100644
> --- a/hw/s390x/ipl.c
> +++ b/hw/s390x/ipl.c
> @@ -14,7 +14,6 @@
>  #include "sysemu/sysemu.h"
>  #include "cpu.h"
>  #include "elf.h"
> -#include "exec/ram_addr.h"
>  #include "hw/loader.h"
>  #include "hw/sysbus.h"
>  #include "hw/s390x/virtio-ccw.h"

Uh, IIRC I temporarily played around with qemu_get_ram_ptr() when I
recently improved the BIOS loading in this file - and later forgot to
remove that include file again - sorry! So of course, it should not be
here. Thanks for cleaning it up!

Reviewed-by: Thomas Huth <huth@tuxfamily.org>