Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_ro

From:	Alex Williamson
Subject:	Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read
Date:	Mon, 24 Feb 2020 09:04:58 -0700

On Mon, 24 Feb 2020 14:42:17 +0800
"Longpeng(Mike)" <address@hidden> wrote:

> From: Longpeng <address@hidden>
> 
> vfio_pci_load_rom() maybe failed and then the vdev->rom is NULL in
> some situation (though I've not encountered yet), maybe we should
> avoid the VM abort.
> 
> Signed-off-by: Longpeng <address@hidden>
> ---
>  hw/vfio/pci.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index 5e75a95..ed798ae 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -768,7 +768,7 @@ static void vfio_update_msi(VFIOPCIDevice *vdev)
>      }
>  }
>  
> -static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
> +static bool vfio_pci_load_rom(VFIOPCIDevice *vdev)
>  {
>      struct vfio_region_info *reg_info;
>      uint64_t size;
> @@ -778,7 +778,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
>      if (vfio_get_region_info(&vdev->vbasedev,
>                               VFIO_PCI_ROM_REGION_INDEX, &reg_info)) {
>          error_report("vfio: Error getting ROM info: %m");
> -        return;
> +        return false;
>      }
>  
>      trace_vfio_pci_load_rom(vdev->vbasedev.name, (unsigned 
> long)reg_info->size,
> @@ -797,7 +797,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
>          error_printf("Device option ROM contents are probably invalid "
>                      "(check dmesg).\nSkip option ROM probe with rombar=0, "
>                      "or load from file with romfile=\n");
> -        return;
> +        return false;
>      }
>  
>      vdev->rom = g_malloc(size);
> @@ -849,6 +849,8 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
>              data[6] = -csum;
>          }
>      }
> +
> +    return true;
>  }
>  
>  static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size)
> @@ -863,8 +865,9 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, 
> unsigned size)
>      uint64_t data = 0;
>  
>      /* Load the ROM lazily when the guest tries to read it */
> -    if (unlikely(!vdev->rom && !vdev->rom_read_failed)) {
> -        vfio_pci_load_rom(vdev);
> +    if (unlikely(!vdev->rom && !vdev->rom_read_failed) &&
> +        !vfio_pci_load_rom(vdev)) {
> +        return 0;
>      }
>  
>      memcpy(&val, vdev->rom + addr,

Looks like an obvious bug, until you look at the rest of this memcpy():

memcpy(&val, vdev->rom + addr,
           (addr < vdev->rom_size) ? MIN(size, vdev->rom_size - addr) : 0);

IOW, we'll do a zero sized memcpy() if rom_size is zero, so there's no
risk of the concern identified in the commit log.  This patch is
unnecessary.  Thanks,

Alex

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH RESEND 0/3] fix some warnings by static code scan tool, Longpeng(Mike), 2020/02/24
- [PATCH RESEND 2/3] vhost: fix a null pointer reference of vhost_log, Longpeng(Mike), 2020/02/24
- [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read, Longpeng(Mike), 2020/02/24
  - Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read, Alex Williamson <=
    - Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read, Longpeng (Mike, Cloud Infrastructure Service Product Dept.), 2020/02/24
- [PATCH RESEND 3/3] util/pty: fix a null pointer reference in qemu_openpty_raw, Longpeng(Mike), 2020/02/24

Prev by Date: Re: [PATCH v2 00/20] Add qemu-storage-daemon
Next by Date: Re: [PATCH 3/3] qemu-img: Deprecate use of -b without -F
Previous by thread: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read
Next by thread: Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read
Index(es):
- Date
- Thread