From: Stefan Hajnoczi <stefanha@redhat.com>
To: Elena Ufimtseva <elena.ufimtseva@oracle.com>
Cc: john.g.johnson@oracle.com, jag.raman@oracle.com,
swapnil.ingle@nutanix.com, john.levon@nutanix.com,
qemu-devel@nongnu.org, alex.williamson@redhat.com,
thanos.makatos@nutanix.com
Subject: Re: [PATCH RFC v2 14/16] vfio-user: dma read/write operations
Date: Wed, 8 Sep 2021 10:51:11 +0100 [thread overview]
Message-ID: <YTiHj6TGg8tYJ7zE@stefanha-x1.localdomain> (raw)
In-Reply-To: <7b21118256af2cb3d0dfe45b1e4ef9683fabccb5.1629131628.git.elena.ufimtseva@oracle.com>
[-- Attachment #1: Type: text/plain, Size: 2921 bytes --]
On Mon, Aug 16, 2021 at 09:42:47AM -0700, Elena Ufimtseva wrote:
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index 2c9fcb2fa9..29a874c066 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -3406,11 +3406,72 @@ type_init(register_vfio_pci_dev_type)
> * vfio-user routines.
> */
>
> -static int vfio_user_pci_process_req(void *opaque, char *buf, VFIOUserFDs *fds)
> +static int vfio_user_dma_read(VFIOPCIDevice *vdev, VFIOUserDMARW *msg)
> {
> + PCIDevice *pdev = &vdev->pdev;
> + char *buf;
> + int size = msg->count + sizeof(VFIOUserDMARW);
The caller has only checked that hdr->size is large enough for
VFIOUserHdr, not VFIOUserDMARW. We must not access VFIOUserDMARW fields
until this has been checked.
Size should be size_t to avoid signedness issues.
Even then, this can overflow on 32-bit hosts so I suggest moving this
arithmetic expression below the msg->count > vfio_user_max_xfer() check.
That way it's clear that overflow cannot happen.
> +
> + if (msg->hdr.flags & VFIO_USER_NO_REPLY) {
> + return -EINVAL;
> + }
> + if (msg->count > vfio_user_max_xfer()) {
> + return -E2BIG;
> + }
Does vfio-user allow the request to be smaller than the reply? In other
words, is it okay that we're not checking msg->count against hdr->size?
> +
> + buf = g_malloc0(size);
> + memcpy(buf, msg, sizeof(*msg));
> +
> + pci_dma_read(pdev, msg->offset, buf + sizeof(*msg), msg->count);
The vfio-user spec doesn't go into errors but pci_dma_read() can return
errors. Hmm...
> +
> + vfio_user_send_reply(vdev->vbasedev.proxy, buf, size);
> + g_free(buf);
> return 0;
> }
>
> +static int vfio_user_dma_write(VFIOPCIDevice *vdev,
> + VFIOUserDMARW *msg)
> +{
> + PCIDevice *pdev = &vdev->pdev;
> + char *buf = (char *)msg + sizeof(*msg);
Or:
char *buf = msg->data;
> +
> + /* make sure transfer count isn't larger than the message data */
> + if (msg->count > msg->hdr.size - sizeof(*msg)) {
> + return -E2BIG;
> + }
msg->count cannot be accessed until we have checked that msg->hdr.size
is large enough for VFIOUserDMARW. Adding the check also eliminates the
underflow in the subtraction if msg->hdr.size was smaller than
sizeof(VFIOUserDMARW).
> +
> + pci_dma_write(pdev, msg->offset, buf, msg->count);
> +
> + if ((msg->hdr.flags & VFIO_USER_NO_REPLY) == 0) {
> + vfio_user_send_reply(vdev->vbasedev.proxy, (char *)msg,
> + sizeof(msg->hdr));
> + }
> + return 0;
> +}
> +
> +static int vfio_user_pci_process_req(void *opaque, char *buf, VFIOUserFDs *fds)
> +{
> + VFIOPCIDevice *vdev = opaque;
> + VFIOUserHdr *hdr = (VFIOUserHdr *)buf;
> + int ret;
> +
> + if (fds->recv_fds != 0) {
> + return -EINVAL;
Where are the fds closed?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2021-09-08 9:54 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 16:42 [PATCH RFC v2 00/16] vfio-user implementation Elena Ufimtseva
2021-08-16 16:42 ` [PATCH RFC v2 01/16] vfio-user: introduce vfio-user protocol specification Elena Ufimtseva
2021-08-17 23:04 ` Alex Williamson
2021-08-19 9:28 ` Swapnil Ingle
2021-08-19 15:32 ` John Johnson
2021-08-19 16:26 ` Alex Williamson
2021-08-16 16:42 ` [PATCH RFC v2 02/16] vfio-user: add VFIO base abstract class Elena Ufimtseva
2021-08-16 16:42 ` [PATCH RFC v2 03/16] vfio-user: Define type vfio_user_pci_dev_info Elena Ufimtseva
2021-08-24 13:52 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 04/16] vfio-user: connect vfio proxy to remote server Elena Ufimtseva
2021-08-18 18:47 ` Alex Williamson
2021-08-19 14:10 ` John Johnson
2021-08-24 14:15 ` Stefan Hajnoczi
2021-08-30 3:00 ` John Johnson
2021-09-07 13:21 ` Stefan Hajnoczi
2021-09-09 5:11 ` John Johnson
2021-09-09 6:29 ` Stefan Hajnoczi
2021-09-10 5:25 ` John Johnson
2021-09-13 12:35 ` Stefan Hajnoczi
2021-09-13 17:23 ` John Johnson
2021-09-14 13:06 ` Stefan Hajnoczi
2021-09-15 0:21 ` John Johnson
2021-09-15 13:04 ` Stefan Hajnoczi
2021-09-15 19:14 ` John Johnson
2021-09-16 11:49 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 05/16] vfio-user: define VFIO Proxy and communication functions Elena Ufimtseva
2021-08-24 15:14 ` Stefan Hajnoczi
2021-08-30 3:04 ` John Johnson
2021-09-07 13:35 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 06/16] vfio-user: negotiate version with remote server Elena Ufimtseva
2021-08-24 15:59 ` Stefan Hajnoczi
2021-08-30 3:08 ` John Johnson
2021-09-07 13:52 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 07/16] vfio-user: get device info Elena Ufimtseva
2021-08-24 16:04 ` Stefan Hajnoczi
2021-08-30 3:11 ` John Johnson
2021-09-07 13:54 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 08/16] vfio-user: get region info Elena Ufimtseva
2021-09-07 14:31 ` Stefan Hajnoczi
2021-09-09 5:35 ` John Johnson
2021-09-09 5:59 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 09/16] vfio-user: region read/write Elena Ufimtseva
2021-09-07 14:41 ` Stefan Hajnoczi
2021-09-07 17:24 ` John Levon
2021-09-09 6:00 ` John Johnson
2021-09-09 12:05 ` John Levon
2021-09-10 6:07 ` John Johnson
2021-09-10 12:16 ` John Levon
2021-08-16 16:42 ` [PATCH RFC v2 10/16] vfio-user: pci_user_realize PCI setup Elena Ufimtseva
2021-09-07 15:00 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 11/16] vfio-user: get and set IRQs Elena Ufimtseva
2021-09-07 15:14 ` Stefan Hajnoczi
2021-09-09 5:50 ` John Johnson
2021-09-09 13:50 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 12/16] vfio-user: proxy container connect/disconnect Elena Ufimtseva
2021-09-08 8:30 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 13/16] vfio-user: dma map/unmap operations Elena Ufimtseva
2021-09-08 9:16 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 14/16] vfio-user: dma read/write operations Elena Ufimtseva
2021-09-08 9:51 ` Stefan Hajnoczi [this message]
2021-09-08 11:03 ` John Levon
2021-08-16 16:42 ` [PATCH RFC v2 15/16] vfio-user: pci reset Elena Ufimtseva
2021-09-08 9:56 ` Stefan Hajnoczi
2021-08-16 16:42 ` [PATCH RFC v2 16/16] vfio-user: migration support Elena Ufimtseva
2021-09-08 10:04 ` Stefan Hajnoczi
2021-08-27 17:53 ` [PATCH RFC server v2 00/11] vfio-user server in QEMU Jagannathan Raman
2021-08-27 17:53 ` [PATCH RFC server v2 01/11] vfio-user: build library Jagannathan Raman
2021-08-27 18:05 ` Jag Raman
2021-09-08 12:25 ` Stefan Hajnoczi
2021-09-10 15:21 ` Philippe Mathieu-Daudé
2021-09-13 12:15 ` Stefan Hajnoczi
2021-09-10 15:20 ` Philippe Mathieu-Daudé
2021-09-10 17:08 ` Jag Raman
2021-09-11 22:29 ` John Levon
2021-09-13 10:19 ` Philippe Mathieu-Daudé
2021-08-27 17:53 ` [PATCH RFC server v2 02/11] vfio-user: define vfio-user object Jagannathan Raman
2021-09-08 12:37 ` Stefan Hajnoczi
2021-09-10 14:04 ` Jag Raman
2021-08-27 17:53 ` [PATCH RFC server v2 03/11] vfio-user: instantiate vfio-user context Jagannathan Raman
2021-09-08 12:40 ` Stefan Hajnoczi
2021-09-10 14:58 ` Jag Raman
2021-08-27 17:53 ` [PATCH RFC server v2 04/11] vfio-user: find and init PCI device Jagannathan Raman
2021-09-08 12:43 ` Stefan Hajnoczi
2021-09-10 15:02 ` Jag Raman
2021-08-27 17:53 ` [PATCH RFC server v2 05/11] vfio-user: run vfio-user context Jagannathan Raman
2021-09-08 12:58 ` Stefan Hajnoczi
2021-09-08 13:37 ` John Levon
2021-09-08 15:02 ` Stefan Hajnoczi
2021-09-08 15:21 ` John Levon
2021-09-08 15:46 ` Stefan Hajnoczi
2021-08-27 17:53 ` [PATCH RFC server v2 06/11] vfio-user: handle PCI config space accesses Jagannathan Raman
2021-09-09 7:27 ` Stefan Hajnoczi
2021-09-10 16:22 ` Jag Raman
2021-09-13 12:13 ` Stefan Hajnoczi
2021-08-27 17:53 ` [PATCH RFC server v2 07/11] vfio-user: handle DMA mappings Jagannathan Raman
2021-09-09 7:29 ` Stefan Hajnoczi
2021-08-27 17:53 ` [PATCH RFC server v2 08/11] vfio-user: handle PCI BAR accesses Jagannathan Raman
2021-09-09 7:37 ` Stefan Hajnoczi
2021-09-10 16:36 ` Jag Raman
2021-08-27 17:53 ` [PATCH RFC server v2 09/11] vfio-user: handle device interrupts Jagannathan Raman
2021-09-09 7:40 ` Stefan Hajnoczi
2021-08-27 17:53 ` [PATCH RFC server v2 10/11] vfio-user: register handlers to facilitate migration Jagannathan Raman
2021-09-09 8:14 ` Stefan Hajnoczi
2021-08-27 17:53 ` [PATCH RFC server v2 11/11] vfio-user: acceptance test Jagannathan Raman
2021-09-08 10:08 ` [PATCH RFC server v2 00/11] vfio-user server in QEMU Stefan Hajnoczi
2021-09-08 12:06 ` Jag Raman
2021-09-09 8:17 ` Stefan Hajnoczi
2021-09-10 14:02 ` Jag Raman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YTiHj6TGg8tYJ7zE@stefanha-x1.localdomain \
--to=stefanha@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=elena.ufimtseva@oracle.com \
--cc=jag.raman@oracle.com \
--cc=john.g.johnson@oracle.com \
--cc=john.levon@nutanix.com \
--cc=qemu-devel@nongnu.org \
--cc=swapnil.ingle@nutanix.com \
--cc=thanos.makatos@nutanix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).