[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for v2.4.1] exec: fix a glitch in checking dma r

From: P J P
Subject: Re: [Qemu-devel] [PATCH for v2.4.1] exec: fix a glitch in checking dma r/w access
Date: Mon, 25 Jan 2016 23:49:41 +0530 (IST)

+-- On Mon, 25 Jan 2016, Paolo Bonzini wrote --+
| >  static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
| >  {
| >      if (memory_region_is_ram(mr)) {
| > -        return !(is_write && mr->readonly);
| > +        return (is_write && !mr->readonly);
| Read or write?        Readonly?               Old             New
|    Read                 Yes                    T               F
|    Read                 No                     T               F
|    Write                Yes                    F               F
|    Write                No                     T               T
| This patch changes behavior for reads (is_write=false).  For
| address_space_read, this makes them go through a path that is at least
| 100 times slower (memory_region_dispatch_read instead of just a memcpy).
|  For address_space_map, it probably breaks everything that expects a
| single block of RAM to be mapped in a single step, for example virtio.
| So, how was this tested, and how can the bug be triggered?

  The bug was triggered if 'addr' in 'read_dword()' is set by user(ex. 
0xffffffff). The MemoryRegion section(*mr) could point to host memory area, 
which is then copied by memcpy(2) call. This leads to the said issue. The 
patch was tested using gdb(1).

  -> pci_dma_read
   -> pci_dma_rw
    -> dma_memory_rw
     -> dma_memory_rw_relaxed
      -> address_space_rw
       -> memcpy

Thank you.
Prasad J Pandit / Red Hat Product Security
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

reply via email to

[Prev in Thread] Current Thread [Next in Thread]