On 14/11/2018 02:38, Li Qiang wrote:
>
>
> Paolo Bonzini <address@hidden <mailto:address@hidden>> 于2018
> 年11月14日周三 上午2:27写道:
>
> On 13/11/2018 11:17, Kevin Wolf wrote:
> > Am 13.11.2018 um 02:45 hat Li Qiang geschrieben:
> >> Ping.... what't the status of this patch.
> >>
> >> I see Kevin's new pr doesn't contain this patch.
> >
> > Oh, I thought you said that you wanted to fix this at a higher
> level so
> > that the problem is caught before even getting into nvme code? If you
> > don't, I can apply the patch for my next pull request.
>
> As far as I know the bug doesn't exist. Li Qiang, if you have a
> reproducer please send it.
>
>
> Hello Paolo,
> Though I've send the debug information and ASAN output in the mail to
> address@hidden <mailto:address@hidden>, I'm glad provide here.
> This is for read, I think the write the same but as the PoC is in
> userspace, the mmap can only map the exact size of the MMIO,
> So we can only write within the area. But if we using a module we can
> write the out of MMIO I think
> The nvme device's parameter should set as 'cmb_size_mb=2' and the PCI
> address may differ in your system.
Ok, thanks. I've created a reproducer using qtest (though I have to run
now and cannot post it properly).
The patch for the fix is simply:
So do you send this or me?
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index fc7dacb816..6385033af3 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1192,7 +1192,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
.write = nvme_cmb_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {
- .min_access_size = 2,
+ .min_access_size = 1,
.max_access_size = 8,
},
};
The memory subsystem _is_ recognizing the out-of-bounds 32-bit access,
Thanks, this strengthen my understanding of memory subsystem.
Thanks,
Li Qiang
but because min_access_size=2 it sends down a write at offset 2097151
and size 2.
Paolo