[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 3/9] pci: Make bounds checks on config space acc
|
From: |
Michael S. Tsirkin |
|
Subject: |
Re: [Qemu-devel] [PATCH 3/9] pci: Make bounds checks on config space accesses actually work |
|
Date: |
Thu, 12 Jan 2012 15:33:24 +0200 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Jan 12, 2012 at 02:19:59PM +0100, Alexander Graf wrote:
> On 01/12/2012 06:46 AM, David Gibson wrote:
> >The pci_host_config_{read,write}_common() functions perform PCI config
> >accesses. They take a limit parameter which they appear to be supposed
> >to bounds check against, however the bounds checking logic, such as it is,
> >is completely broken.
> >
> >Currently, it takes the minimum of the supplied length and the remaining
> >space in the region and passes that as the length to the underlying
> >config_{read,write} function pointer. This means that accesses which
> >partially overrun the region will be silently truncated - which makes
> >little sense. Accesses which entirely overrun the region will *not*
> >be blocked (an exploitable bug), because in that case (limit - addr) will
> >be negative and so the unsigned MIN will always return len instead. Even
> >if signed arithmetic was used, the config_{read,write} callback wouldn't
> >know what to do with a negative len parameter.
> >
> >This patch handles things more sanely by simply ignoring writes which
> >overrun, and returning -1 for reads, which is the usual hardware convention
> >for reads to unpopulated IO regions.
> >
> >Signed-off-by: David Gibson<address@hidden>
>
> Michael, please ack or apply yourself. I'll cache this in my tree
> regardless so it doesn't get lost.
>
>
> Alex
I'd like to understand the bug a bit.
> >---
> > hw/pci_host.c | 10 ++++++++--
> > 1 files changed, 8 insertions(+), 2 deletions(-)
> >
> >diff --git a/hw/pci_host.c b/hw/pci_host.c
> >index 44c6c20..16b3ac3 100644
> >--- a/hw/pci_host.c
> >+++ b/hw/pci_host.c
> >@@ -51,14 +51,20 @@ void pci_host_config_write_common(PCIDevice *pci_dev,
> >uint32_t addr,
> > uint32_t limit, uint32_t val, uint32_t
> > len)
> > {
> > assert(len<= 4);
> >- pci_dev->config_write(pci_dev, addr, val, MIN(len, limit - addr));
> >+ if ((addr + len)<= limit) {
> >+ pci_dev->config_write(pci_dev, addr, val, len);
> >+ }
> > }
> >
> > uint32_t pci_host_config_read_common(PCIDevice *pci_dev, uint32_t addr,
> > uint32_t limit, uint32_t len)
> > {
> > assert(len<= 4);
> >- return pci_dev->config_read(pci_dev, addr, MIN(len, limit - addr));
> >+ if ((addr + len)<= limit) {
> >+ return pci_dev->config_read(pci_dev, addr, len);
> >+ } else {
> >+ return ~0x0;
> >+ }
> > }
> >
> > void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
>
- [Qemu-devel] [0/9] Bugfixes and pseries enhancements, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 5/9] Correct types in bmdma_addr_{read,write}, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 7/9] pseries: Use correct dispatcher for PCI config space accesses, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 1/9] load_image_targphys() should enforce the max size, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 2/9] Fix dirty logging with 32-bit qemu & 64-bit guests, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 6/9] pseries: Support PCI extended config space in RTAS calls, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 8/9] pseries: Don't try to munmap() a malloc()ed TCE table, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 4/9] Update gitignore file, David Gibson, 2012/01/12
- [Qemu-devel] [PATCH 3/9] pci: Make bounds checks on config space accesses actually work, David Gibson, 2012/01/12
[Qemu-devel] [PATCH 9/9] pseries: SLOF PCI flag day, David Gibson, 2012/01/12
Re: [Qemu-devel] [0/9] Bugfixes and pseries enhancements, Alexander Graf, 2012/01/13