From: David Gibson <david@gibson.dropbear.id.au>
To: mst@redhat.com, qemu-devel@nongnu.org
Cc: qemu-ppc@nongnu.org, David Gibson <david@gibson.dropbear.id.au>,
David Hildenbrand <david@redhat.com>
Subject: [Qemu-devel] [PATCH 2/5] virtio-balloon: Corrections to address verification
Date: Thu, 14 Feb 2019 15:39:13 +1100 [thread overview]
Message-ID: <20190214043916.22128-3-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20190214043916.22128-1-david@gibson.dropbear.id.au>
The virtio-balloon device's verification of the address given to it by the
guest has a number of faults:
* The addresses here are guest physical addresses, which should be
'hwaddr' rather than 'ram_addr_t' (the distinction is admittedly
pretty subtle and confusing)
* We don't check for section.mr being NULL, which is the main way that
memory_region_find() reports basic failures. We really need to check
that before looking at any other section fields, because
memory_region_find() doesn't initialize them on the failure path
* We're passing a length of '1' to memory_region_find(), but really the
guest is requesting that we put the entire page into the balloon,
so it makes more sense to call it with BALLOON_PAGE_SIZE
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/virtio-balloon.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 43af521884..eb357824d8 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -221,17 +221,20 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq)
}
while (iov_to_buf(elem->out_sg, elem->out_num, offset, &pfn, 4) == 4) {
- ram_addr_t pa;
- ram_addr_t addr;
+ hwaddr pa;
+ hwaddr addr;
int p = virtio_ldl_p(vdev, &pfn);
- pa = (ram_addr_t) p << VIRTIO_BALLOON_PFN_SHIFT;
+ pa = (hwaddr) p << VIRTIO_BALLOON_PFN_SHIFT;
offset += 4;
- /* FIXME: remove get_system_memory(), but how? */
- section = memory_region_find(get_system_memory(), pa, 1);
- if (!int128_nz(section.size) ||
- !memory_region_is_ram(section.mr) ||
+ section = memory_region_find(get_system_memory(), pa,
+ BALLOON_PAGE_SIZE);
+ if (!section.mr) {
+ trace_virtio_balloon_bad_addr(pa);
+ continue;
+ }
+ if (!memory_region_is_ram(section.mr) ||
memory_region_is_rom(section.mr) ||
memory_region_is_romd(section.mr)) {
trace_virtio_balloon_bad_addr(pa);
--
2.20.1
next prev parent reply other threads:[~2019-02-14 4:40 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-14 4:39 [Qemu-devel] [PATCH 0/5] Improve balloon handling of pagesizes other than 4kiB David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 1/5] virtio-balloon: Remove unnecessary MADV_WILLNEED on deflate David Gibson
2019-02-28 13:36 ` Michael S. Tsirkin
2019-03-05 0:52 ` David Gibson
2019-03-05 2:29 ` Michael S. Tsirkin
2019-03-05 5:03 ` David Gibson
2019-03-05 14:41 ` Michael S. Tsirkin
2019-03-05 23:35 ` David Gibson
2019-03-06 0:14 ` Michael S. Tsirkin
2019-03-06 0:58 ` David Gibson
2019-02-14 4:39 ` David Gibson [this message]
2019-02-22 9:08 ` [Qemu-devel] [Qemu-ppc] [PATCH 2/5] virtio-balloon: Corrections to address verification Greg Kurz
2019-02-24 23:37 ` David Gibson
2019-02-25 9:26 ` Greg Kurz
2019-02-26 23:20 ` David Gibson
2019-02-28 9:09 ` Greg Kurz
2019-02-14 4:39 ` [Qemu-devel] [PATCH 3/5] virtio-balloon: Rework ballon_page() interface David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 4/5] virtio-balloon: Use ram_block_discard_range() instead of raw madvise() David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 5/5] virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size David Gibson
2019-03-05 16:06 ` [Qemu-devel] [PULL 23/26] " Peter Maydell
2019-03-05 23:33 ` David Gibson
2019-02-28 13:39 ` [Qemu-devel] [PATCH 0/5] Improve balloon handling of pagesizes other than 4kiB Michael S. Tsirkin
2019-03-05 0:53 ` David Gibson
2019-03-05 2:13 ` Michael S. Tsirkin
2019-03-05 4:55 ` David Gibson
2019-02-22 2:40 [Qemu-devel] [PULL 00/26] pci, pc, virtio: fixes, cleanups, tests Michael S. Tsirkin
2019-02-22 15:47 ` Peter Maydell
2019-02-22 15:53 ` Michael S. Tsirkin
2019-02-22 16:34 ` Peter Maydell
2019-02-24 0:34 ` Michael S. Tsirkin
2019-02-24 10:21 ` Peter Maydell
2019-02-24 16:41 ` Michael S. Tsirkin
2019-02-25 16:23 ` Philippe Mathieu-Daudé
2019-02-25 17:27 ` Peter Maydell
2019-02-24 22:49 ` David Gibson
2019-02-25 15:19 ` [Qemu-devel] [PULL v2 resend " Michael S. Tsirkin
2019-03-04 10:55 ` Paolo Bonzini
2019-03-04 13:38 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190214043916.22128-3-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.