* [Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes
@ 2015-03-26 15:35 Cornelia Huck
2015-03-26 15:35 ` [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ Cornelia Huck
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Cornelia Huck @ 2015-03-26 15:35 UTC (permalink / raw)
To: qemu-devel; +Cc: Cornelia Huck, borntraeger, jfrei, agraf
Hi,
here's what I have pending for 2.3. Paolo noticed two small problems,
and I realized we have some bugs wrt accessing virtqueue indices
when I reviewed Jason's support for more virtqueues patchset.
I'm planning on sending a pull request on monday.
Cornelia Huck (3):
virtio-ccw: fix range check for SET_VQ
virtio-ccw: range check in READ_VQ_CONF
s390x/ipl: avoid sign extension
Paolo Bonzini (1):
s390x: do not include ram_addr.h
hw/s390x/ipl.c | 3 +--
hw/s390x/virtio-ccw.c | 6 +++++-
2 files changed, 6 insertions(+), 3 deletions(-)
--
2.3.4
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ
2015-03-26 15:35 [Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes Cornelia Huck
@ 2015-03-26 15:35 ` Cornelia Huck
2015-03-27 9:04 ` Christian Borntraeger
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF Cornelia Huck
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: Cornelia Huck @ 2015-03-26 15:35 UTC (permalink / raw)
To: qemu-devel; +Cc: Cornelia Huck, borntraeger, jfrei, agraf, qemu-stable
VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.
Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
hw/s390x/virtio-ccw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 130535c..ceb6a45 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
{
VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
- if (index > VIRTIO_PCI_QUEUE_MAX) {
+ if (index >= VIRTIO_PCI_QUEUE_MAX) {
return -EINVAL;
}
--
2.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF
2015-03-26 15:35 [Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes Cornelia Huck
2015-03-26 15:35 ` [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ Cornelia Huck
@ 2015-03-26 15:36 ` Cornelia Huck
2015-03-27 9:05 ` Christian Borntraeger
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h Cornelia Huck
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 4/4] s390x/ipl: avoid sign extension Cornelia Huck
3 siblings, 1 reply; 8+ messages in thread
From: Cornelia Huck @ 2015-03-26 15:36 UTC (permalink / raw)
To: qemu-devel; +Cc: Cornelia Huck, borntraeger, jfrei, agraf, qemu-stable
Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.
Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
hw/s390x/virtio-ccw.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index ceb6a45..d32ecaf 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
ret = -EFAULT;
} else {
vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
+ if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
+ ret = -EINVAL;
+ break;
+ }
vq_config.num_max = virtio_queue_get_num(vdev,
vq_config.index);
stw_be_phys(&address_space_memory,
--
2.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h
2015-03-26 15:35 [Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes Cornelia Huck
2015-03-26 15:35 ` [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ Cornelia Huck
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF Cornelia Huck
@ 2015-03-26 15:36 ` Cornelia Huck
2015-03-27 13:04 ` Thomas Huth
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 4/4] s390x/ipl: avoid sign extension Cornelia Huck
3 siblings, 1 reply; 8+ messages in thread
From: Cornelia Huck @ 2015-03-26 15:36 UTC (permalink / raw)
To: qemu-devel; +Cc: Cornelia Huck, borntraeger, jfrei, agraf, Paolo Bonzini
From: Paolo Bonzini <pbonzini@redhat.com>
ram_addr.h is an internal interface and it is not needed anyway by
hw/s390x/ipl.c.
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
hw/s390x/ipl.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 54d0835..5c86613 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -14,7 +14,6 @@
#include "sysemu/sysemu.h"
#include "cpu.h"
#include "elf.h"
-#include "exec/ram_addr.h"
#include "hw/loader.h"
#include "hw/sysbus.h"
#include "hw/s390x/virtio-ccw.h"
--
2.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH for-2.3 4/4] s390x/ipl: avoid sign extension
2015-03-26 15:35 [Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes Cornelia Huck
` (2 preceding siblings ...)
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h Cornelia Huck
@ 2015-03-26 15:36 ` Cornelia Huck
3 siblings, 0 replies; 8+ messages in thread
From: Cornelia Huck @ 2015-03-26 15:36 UTC (permalink / raw)
To: qemu-devel; +Cc: Cornelia Huck, borntraeger, jfrei, agraf
Make s390_update_iplstate() return uint32_t to avoid sign extensions
for cssids > 127. While this doesn't matter in practice yet (as
nobody supports MCSS-E and thus won't see the real cssid), play safe.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jason J. Herne <jjherne@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
hw/s390x/ipl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 5c86613..2e26d2a 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -218,7 +218,7 @@ static Property s390_ipl_properties[] = {
* - -1 if no valid boot device was found
* - ccw id of the boot device otherwise
*/
-static uint64_t s390_update_iplstate(CPUS390XState *env, S390IPLState *ipl)
+static uint32_t s390_update_iplstate(CPUS390XState *env, S390IPLState *ipl)
{
DeviceState *dev_st;
--
2.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ
2015-03-26 15:35 ` [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ Cornelia Huck
@ 2015-03-27 9:04 ` Christian Borntraeger
0 siblings, 0 replies; 8+ messages in thread
From: Christian Borntraeger @ 2015-03-27 9:04 UTC (permalink / raw)
To: Cornelia Huck, qemu-devel; +Cc: jfrei, agraf, qemu-stable
Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
>
> Cc: qemu-stable@nongnu.org
> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
> ---
> hw/s390x/virtio-ccw.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
> {
> VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
>
> - if (index > VIRTIO_PCI_QUEUE_MAX) {
> + if (index >= VIRTIO_PCI_QUEUE_MAX) {
> return -EINVAL;
> }
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF Cornelia Huck
@ 2015-03-27 9:05 ` Christian Borntraeger
0 siblings, 0 replies; 8+ messages in thread
From: Christian Borntraeger @ 2015-03-27 9:05 UTC (permalink / raw)
To: Cornelia Huck, qemu-devel; +Cc: jfrei, agraf, qemu-stable
Am 26.03.2015 um 16:36 schrieb Cornelia Huck:
> Processing for READ_VQ_CONF needs to check whether the requested queue
> value is actually in the supported range and post a channel program
> check if not.
>
> Cc: qemu-stable@nongnu.org
> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
> ---
> hw/s390x/virtio-ccw.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index ceb6a45..d32ecaf 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
> ret = -EFAULT;
> } else {
> vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
> + if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
> + ret = -EINVAL;
> + break;
> + }
> vq_config.num_max = virtio_queue_get_num(vdev,
> vq_config.index);
> stw_be_phys(&address_space_memory,
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h Cornelia Huck
@ 2015-03-27 13:04 ` Thomas Huth
0 siblings, 0 replies; 8+ messages in thread
From: Thomas Huth @ 2015-03-27 13:04 UTC (permalink / raw)
To: Cornelia Huck, qemu-devel; +Cc: borntraeger, jfrei, agraf, Paolo Bonzini
Am Thu, 26 Mar 2015 16:36:01 +0100
schrieb Cornelia Huck <cornelia.huck@de.ibm.com>:
> From: Paolo Bonzini <pbonzini@redhat.com>
>
> ram_addr.h is an internal interface and it is not needed anyway by
> hw/s390x/ipl.c.
>
> Cc: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com>
> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
> ---
> hw/s390x/ipl.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
> index 54d0835..5c86613 100644
> --- a/hw/s390x/ipl.c
> +++ b/hw/s390x/ipl.c
> @@ -14,7 +14,6 @@
> #include "sysemu/sysemu.h"
> #include "cpu.h"
> #include "elf.h"
> -#include "exec/ram_addr.h"
> #include "hw/loader.h"
> #include "hw/sysbus.h"
> #include "hw/s390x/virtio-ccw.h"
Uh, IIRC I temporarily played around with qemu_get_ram_ptr() when I
recently improved the BIOS loading in this file - and later forgot to
remove that include file again - sorry! So of course, it should not be
here. Thanks for cleaning it up!
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-03-27 13:04 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-26 15:35 [Qemu-devel] [PATCH for-2.3 0/4] assorted s390x fixes Cornelia Huck
2015-03-26 15:35 ` [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ Cornelia Huck
2015-03-27 9:04 ` Christian Borntraeger
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 2/4] virtio-ccw: range check in READ_VQ_CONF Cornelia Huck
2015-03-27 9:05 ` Christian Borntraeger
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 3/4] s390x: do not include ram_addr.h Cornelia Huck
2015-03-27 13:04 ` Thomas Huth
2015-03-26 15:36 ` [Qemu-devel] [PATCH for-2.3 4/4] s390x/ipl: avoid sign extension Cornelia Huck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.