Re: [PATCH] hw/nvme: fix mmio read

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/nvme: fix mmio read

From:	Peter Maydell
Subject:	Re: [PATCH] hw/nvme: fix mmio read
Date:	Tue, 13 Jul 2021 11:31:24 +0100

On Tue, 13 Jul 2021 at 11:19, Klaus Jensen <its@irrelevant.dk> wrote:
>
> On Jul 13 11:07, Peter Maydell wrote:
> > Looking at the surrounding code, I notice that we guard this "read size 
> > bytes
> > from &n->bar + addr" with
> >     if (addr < sizeof(n->bar)) {
> >
> > but that doesn't account for 'size', so if the guest asks to read
> > 4 bytes starting at offset sizeof(n->bar)-1 then we'll still read
> > 3 bytes beyond the end of the buffer...
>
> The buffer is at least sizeof(n->bar) + 8 bytes (there are two doorbell
> registers following the controller registers). It is wrong for the host
> to read those, but as per the spec it is undefined behavior.

I don't know about the doorbell registers, but with this code
(or the old memcpy()) you'll access whatever the next thing after
"NvmeBar bar" in the NvmeCtrl struct is, which looks like it's the
first part of 'struct NvmeParams".

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] hw/nvme: fix mmio read, Klaus Jensen, 2021/07/13
- Message not available
  - Re: [PATCH] hw/nvme: fix mmio read, Gollu Appalanaidu, 2021/07/13
- Re: [PATCH] hw/nvme: fix mmio read, Peter Maydell, 2021/07/13
  - Re: [PATCH] hw/nvme: fix mmio read, Klaus Jensen, 2021/07/13
    - Re: [PATCH] hw/nvme: fix mmio read, Peter Maydell <=
    - Re: [PATCH] hw/nvme: fix mmio read, Klaus Jensen, 2021/07/13
    - Re: [PATCH] hw/nvme: fix mmio read, Klaus Jensen, 2021/07/13

Prev by Date: Re: [PULL 0/4] OVMF patches for 2021-07-12
Next by Date: Re: [PATCH] hw/nvme: fix mmio read
Previous by thread: Re: [PATCH] hw/nvme: fix mmio read
Next by thread: Re: [PATCH] hw/nvme: fix mmio read
Index(es):
- Date
- Thread