Re: [Qemu-devel] [RFC 2/5] virtio-balloon: Corrections to address verification

From: David Gibson <david@gibson.dropbear.id.au>
To: David Hildenbrand <david@redhat.com>
Cc: dhildenb@redhat.com, imammedo@redhat.com, ehabkost@redhat.com,
	mst@redhat.com, pbonzini@redhat.com, qemu-devel@nongnu.org,
	qemu-ppc@nongnu.org
Subject: Re: [Qemu-devel] [RFC 2/5] virtio-balloon: Corrections to address verification
Date: Sat, 13 Oct 2018 17:25:20 +1100	[thread overview]
Message-ID: <20181013062520.GD16167@umbus.fritz.box> (raw)
In-Reply-To: <0ea22284-a019-4d6b-9951-976174248d5a@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 3261 bytes --]

On Fri, Oct 12, 2018 at 09:44:25AM +0200, David Hildenbrand wrote:
> On 12/10/2018 05:24, David Gibson wrote:
> > The virtio-balloon device's verification of the address given to it by the
> > guest has a number of faults:
> >     * The addresses here are guest physical addresses, which should be
> >       'hwaddr' rather than 'ram_addr_t' (the distinction is admittedly
> >       pretty subtle and confusing)
> >     * We don't check for section.mr being NULL, which is the main way that
> >       memory_region_find() reports basic failures.  We really need to check
> >       that before looking at any other section fields, because
> >       memory_region_find() doesn't initialize them on the failure path
> >     * We're passing a length of '1' to memory_region_find(), but really the
> >       guest is requesting that we put the entire page into the balloon,
> >       so it makes more sense to call it with BALLOON_PAGE_SIZE
> > 
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >  hw/virtio/virtio-balloon.c | 17 ++++++++++-------
> >  1 file changed, 10 insertions(+), 7 deletions(-)
> > 
> > diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> > index 6ec4bcf4e1..e8611aab0e 100644
> > --- a/hw/virtio/virtio-balloon.c
> > +++ b/hw/virtio/virtio-balloon.c
> > @@ -221,17 +221,20 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq)
> >          }
> >  
> >          while (iov_to_buf(elem->out_sg, elem->out_num, offset, &pfn, 4) == 4) {
> > -            ram_addr_t pa;
> > -            ram_addr_t addr;
> > +            hwaddr pa;
> > +            hwaddr addr;
> >              int p = virtio_ldl_p(vdev, &pfn);
> >  
> > -            pa = (ram_addr_t) p << VIRTIO_BALLOON_PFN_SHIFT;
> > +            pa = (hwaddr) p << VIRTIO_BALLOON_PFN_SHIFT;
> >              offset += 4;
> >  
> > -            /* FIXME: remove get_system_memory(), but how? */
> 
> Should we leave that fixme? (on the other hand, virtio-balloon operates
> on all system mamory, so I also don't really see a way around this ...)

Yeah, I took that out deliberately.  Given what this is supposed to be
doing, I can't really see how removing get_system_memory() is either
possible or desirable.

> > -            section = memory_region_find(get_system_memory(), pa, 1);
> > -            if (!int128_nz(section.size) ||
> > -                !memory_region_is_ram(section.mr) ||
> > +            section = memory_region_find(get_system_memory(), pa,
> > +                                         BALLOON_PAGE_SIZE);
> > +            if (!section.mr) {
> > +                trace_virtio_balloon_bad_addr(pa);
> > +                continue;
> > +            }
> > +            if (!memory_region_is_ram(section.mr) ||
> >                  memory_region_is_rom(section.mr) ||
> >                  memory_region_is_romd(section.mr)) {
> >                  trace_virtio_balloon_bad_addr(pa);
> > 
> 
> Reviewed-by: David Hildenbrand <david@redhat.com>
> 

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]