All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH 0/2] check VirtiQueue Vring objects
@ 2017-11-23 19:01 P J P
  2017-11-23 19:01 ` [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set P J P
  2017-11-23 19:01 ` [Qemu-devel] [PATCH 2/2] tests: add test to check VirtQueue object P J P
  0 siblings, 2 replies; 5+ messages in thread
From: P J P @ 2017-11-23 19:01 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Stefan Hajnoczi, zhangboxian, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

Hello,

An user could attempt to use an uninitialised VirtQueue object
or set Vring object with undue values, raising an unexpected
exception in Qemu. This patch set fixes this issue and also adds
a unit test to the suite.

Thank you.
--
Prasad J Pandit (2):
  virtio: check VirtQueue Vring object is set
  tests: add test to check VirtQueue object

 hw/virtio/virtio.c      | 11 ++++++++---
 tests/virtio-blk-test.c | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+), 3 deletions(-)

-- 
2.13.6

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set
  2017-11-23 19:01 [Qemu-devel] [PATCH 0/2] check VirtiQueue Vring objects P J P
@ 2017-11-23 19:01 ` P J P
  2017-11-23 23:39   ` Paolo Bonzini
  2017-11-23 19:01 ` [Qemu-devel] [PATCH 2/2] tests: add test to check VirtQueue object P J P
  1 sibling, 1 reply; 5+ messages in thread
From: P J P @ 2017-11-23 19:01 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Stefan Hajnoczi, zhangboxian, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

An user could attempt to use an uninitialised VirtQueue object
or unset Vring.align leading to a arithmetic exception. Add check
to avoid it.

Reported-by: Zhangboxian <zhangboxian@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/virtio/virtio.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 5884ce3480..d961780384 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -182,7 +182,7 @@ void virtio_queue_update_rings(VirtIODevice *vdev, int n)
 {
     VRing *vring = &vdev->vq[n].vring;
 
-    if (!vring->desc) {
+    if (!vring->desc || !vring->align) {
         /* not yet setup -> nothing to do */
         return;
     }
@@ -1414,6 +1414,9 @@ void virtio_config_modern_writel(VirtIODevice *vdev,
 
 void virtio_queue_set_addr(VirtIODevice *vdev, int n, hwaddr addr)
 {
+    if (!vdev->vq[n].vring.num) {
+        return;
+    }
     vdev->vq[n].vring.desc = addr;
     virtio_queue_update_rings(vdev, n);
 }
@@ -1494,8 +1497,10 @@ void virtio_queue_set_align(VirtIODevice *vdev, int n, int align)
      */
     assert(k->has_variable_vring_alignment);
 
-    vdev->vq[n].vring.align = align;
-    virtio_queue_update_rings(vdev, n);
+    if (align) {
+        vdev->vq[n].vring.align = align;
+        virtio_queue_update_rings(vdev, n);
+    }
 }
 
 static bool virtio_queue_notify_aio_vq(VirtQueue *vq)
-- 
2.13.6

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/2] tests: add test to check VirtQueue object
  2017-11-23 19:01 [Qemu-devel] [PATCH 0/2] check VirtiQueue Vring objects P J P
  2017-11-23 19:01 ` [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set P J P
@ 2017-11-23 19:01 ` P J P
  1 sibling, 0 replies; 5+ messages in thread
From: P J P @ 2017-11-23 19:01 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Stefan Hajnoczi, zhangboxian, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

An uninitialised VirtQueue object or one with Vring.align field
set to zero(0) could lead to arithmetic exceptions. Add a unit
test to validate it.

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 tests/virtio-blk-test.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/tests/virtio-blk-test.c b/tests/virtio-blk-test.c
index e6fb9bac87..d00ceb0501 100644
--- a/tests/virtio-blk-test.c
+++ b/tests/virtio-blk-test.c
@@ -674,6 +674,26 @@ static void pci_hotplug(void)
     qtest_shutdown(qs);
 }
 
+static void test_vring_align(void)
+{
+    QPCIBar bar0;
+    QOSState *qs;
+    QPCIDevice *dev;
+
+    qs = pci_test_start();
+    dev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4, 0));
+    g_assert(dev != NULL);
+
+    qpci_device_enable(dev);
+    bar0 = qpci_iomap(dev, 0, NULL);
+
+    qpci_io_writeb(dev, bar0, VIRTIO_PCI_QUEUE_SEL, 2);
+    qpci_io_writel(dev, bar0, VIRTIO_PCI_QUEUE_PFN, 1);
+
+    g_free(dev);
+    qtest_shutdown(qs);
+}
+
 static void mmio_basic(void)
 {
     QVirtioMMIODevice *dev;
@@ -724,6 +744,7 @@ int main(int argc, char **argv)
         qtest_add_func("/virtio/blk/pci/basic", pci_basic);
         qtest_add_func("/virtio/blk/pci/indirect", pci_indirect);
         qtest_add_func("/virtio/blk/pci/config", pci_config);
+        qtest_add_func("/virtio/blk/pci/vring", test_vring_align);
         if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
             qtest_add_func("/virtio/blk/pci/msix", pci_msix);
             qtest_add_func("/virtio/blk/pci/idx", pci_idx);
-- 
2.13.6

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set
  2017-11-23 19:01 ` [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set P J P
@ 2017-11-23 23:39   ` Paolo Bonzini
  2017-11-24  7:59     ` P J P
  0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2017-11-23 23:39 UTC (permalink / raw)
  To: P J P, Qemu Developers; +Cc: zhangboxian, Stefan Hajnoczi, Prasad J Pandit

On 23/11/2017 20:01, P J P wrote:
> @@ -182,7 +182,7 @@ void virtio_queue_update_rings(VirtIODevice *vdev, int n)
>  {
>      VRing *vring = &vdev->vq[n].vring;
>  
> -    if (!vring->desc) {
> +    if (!vring->desc || !vring->align) {
>          /* not yet setup -> nothing to do */
>          return;
>      }
> @@ -1414,6 +1414,9 @@ void virtio_config_modern_writel(VirtIODevice *vdev,
>  
>  void virtio_queue_set_addr(VirtIODevice *vdev, int n, hwaddr addr)
>  {
> +    if (!vdev->vq[n].vring.num) {
> +        return;
> +    }

Why not check vring->num in virtio_queue_update_rings too?

Thanks,

Paolo

>      vdev->vq[n].vring.desc = addr;
>      virtio_queue_update_rings(vdev, n);
>  }

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set
  2017-11-23 23:39   ` Paolo Bonzini
@ 2017-11-24  7:59     ` P J P
  0 siblings, 0 replies; 5+ messages in thread
From: P J P @ 2017-11-24  7:59 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: Qemu Developers, zhangboxian, Stefan Hajnoczi

+-- On Fri, 24 Nov 2017, Paolo Bonzini wrote --+
| Why not check vring->num in virtio_queue_update_rings too?

Yes, sent a revised patch v1. These checks seem to repeat through sequence of 
functions. I guess it'll help to do them in one place.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-11-24  7:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-23 19:01 [Qemu-devel] [PATCH 0/2] check VirtiQueue Vring objects P J P
2017-11-23 19:01 ` [Qemu-devel] [PATCH 1/2] virtio: check VirtQueue Vring object is set P J P
2017-11-23 23:39   ` Paolo Bonzini
2017-11-24  7:59     ` P J P
2017-11-23 19:01 ` [Qemu-devel] [PATCH 2/2] tests: add test to check VirtQueue object P J P

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.