[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 61/66] vhost: Fix false positive out-of-bounds
|
From: |
Michael S. Tsirkin |
|
Subject: |
[PULL 61/66] vhost: Fix false positive out-of-bounds |
|
Date: |
Mon, 10 Jul 2023 19:05:19 -0400 |
From: Hawkins Jiawei <yin31149@gmail.com>
QEMU uses vhost_svq_translate_addr() to translate addresses
between the QEMU's virtual address and the SVQ IOVA. In order
to validate this translation, QEMU checks whether the translated
range falls within the mapped range.
Yet the problem is that, the value of `needle_last`, which is calculated
by `needle.translated_addr + iovec[i].iov_len`, should represent the
exclusive boundary of the translated range, rather than the last
inclusive addresses of the range. Consequently, QEMU fails the check
when the translated range matches the size of the mapped range.
This patch solves this problem by fixing the `needle_last` value to
the last inclusive address of the translated range.
Note that this bug cannot be triggered at the moment, because QEMU
is unable to translate such a big range due to the truncation of
the CVQ command in vhost_vdpa_net_handle_ctrl_avail().
Fixes: 34e3c94eda ("vdpa: Add custom IOTLB translations to SVQ")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Message-Id:
<ee31c5420ffc8e6a29705ddd30badb814ddbae1d.1688743107.git.yin31149@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/vhost-shadow-virtqueue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-shadow-virtqueue.c
b/hw/virtio/vhost-shadow-virtqueue.c
index 1b1d85306c..49e5aed931 100644
--- a/hw/virtio/vhost-shadow-virtqueue.c
+++ b/hw/virtio/vhost-shadow-virtqueue.c
@@ -111,7 +111,7 @@ static bool vhost_svq_translate_addr(const
VhostShadowVirtqueue *svq,
addrs[i] = map->iova + off;
needle_last = int128_add(int128_make64(needle.translated_addr),
- int128_make64(iovec[i].iov_len));
+ int128_makes64(iovec[i].iov_len - 1));
map_last = int128_make64(map->translated_addr + map->size);
if (unlikely(int128_gt(needle_last, map_last))) {
qemu_log_mask(LOG_GUEST_ERROR,
--
MST
- Re: [PULL 46/66] virtio-iommu: Fix 64kB host page size VFIO device assignment, (continued)
- [PULL 59/66] vdpa: Restore MAC address filtering state, Michael S. Tsirkin, 2023/07/10
- [PULL 57/66] pcie: Specify 0 for ARI next function numbers, Michael S. Tsirkin, 2023/07/10
- [PULL 54/66] include/hw/virtio: add kerneldoc for virtio_init, Michael S. Tsirkin, 2023/07/10
- [PULL 45/66] hw/pci: warn when PCIe device is plugged into non-zero slot of downstream port, Michael S. Tsirkin, 2023/07/10
- [PULL 55/66] include/hw/virtio: document some more usage of notifiers, Michael S. Tsirkin, 2023/07/10
- [PULL 60/66] vdpa: Restore packet receive filtering state relative with _F_CTRL_RX feature, Michael S. Tsirkin, 2023/07/10
- [PULL 58/66] vdpa: Use iovec for vhost_vdpa_net_load_cmd(), Michael S. Tsirkin, 2023/07/10
- [PULL 62/66] vdpa: Accessing CVQ header through its structure, Michael S. Tsirkin, 2023/07/10
- [PULL 56/66] pcie: Use common ARI next function number, Michael S. Tsirkin, 2023/07/10
- [PULL 61/66] vhost: Fix false positive out-of-bounds,
Michael S. Tsirkin <=
- [PULL 63/66] vdpa: Avoid forwarding large CVQ command failures, Michael S. Tsirkin, 2023/07/10
- [PULL 64/66] vdpa: Allow VIRTIO_NET_F_CTRL_RX in SVQ, Michael S. Tsirkin, 2023/07/10
- [PULL 65/66] vdpa: Restore packet receive filtering state relative with _F_CTRL_RX_EXTRA feature, Michael S. Tsirkin, 2023/07/10
- [PULL 66/66] vdpa: Allow VIRTIO_NET_F_CTRL_RX_EXTRA in SVQ, Michael S. Tsirkin, 2023/07/10
- Re: [PULL 00/66] pc,pci,virtio: cleanups, fixes, features, Richard Henderson, 2023/07/11