[PULL 43/91] virtio-iommu: add error check before assert

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 43/91] virtio-iommu: add error check before assert

From:	Michael S. Tsirkin
Subject:	[PULL 43/91] virtio-iommu: add error check before assert
Date:	Tue, 2 Jul 2024 10:09:09 -0400

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

A fuzzer case discovered by Zheyu Ma causes an assert failure.

Add a check before the assert, and respond with an error before moving
on to the next queue element.

To reproduce the failure:

cat << EOF | \
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -machine q35 -nodefaults \
-device virtio-iommu -qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0x06
outl 0xcf8 0x80000820
outl 0xcfc 0xe0004000
write 0x10000e 0x1 0x01
write 0xe0004020 0x4 0x00001000
write 0xe0004028 0x4 0x00101000
write 0xe000401c 0x1 0x01
write 0x106000 0x1 0x05
write 0x100001 0x1 0x60
write 0x100002 0x1 0x10
write 0x100009 0x1 0x04
write 0x10000c 0x1 0x01
write 0x100018 0x1 0x04
write 0x10001c 0x1 0x02
write 0x101003 0x1 0x01
write 0xe0007001 0x1 0x00
EOF

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2359
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20240613-fuzz-2359-fix-v2-manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/virtio/virtio-iommu.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index b9a7ddcd14..ed7426afc7 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -974,6 +974,9 @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, 
VirtQueue *vq)
         iov = elem->out_sg;
         sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
         if (unlikely(sz != sizeof(head))) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: read %zu bytes from command head"
+                          "but expected %zu\n", __func__, sz, sizeof(head));
             tail.status = VIRTIO_IOMMU_S_DEVERR;
             goto out;
         }
@@ -1010,6 +1013,25 @@ static void virtio_iommu_handle_command(VirtIODevice 
*vdev, VirtQueue *vq)
 out:
         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
                           buf ? buf : &tail, output_size);
+        if (unlikely(sz != output_size)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: wrote %zu bytes to command response"
+                          "but response size is %zu\n",
+                          __func__, sz, output_size);
+            tail.status = VIRTIO_IOMMU_S_DEVERR;
+            /*
+             * We checked that sizeof(tail) can fit to elem->in_sg at the
+             * beginning of the loop
+             */
+            output_size = sizeof(tail);
+            g_free(buf);
+            buf = NULL;
+            sz = iov_from_buf(elem->in_sg,
+                              elem->in_num,
+                              0,
+                              &tail,
+                              output_size);
+        }
         assert(sz == output_size);
 
         virtqueue_push(vq, elem, sz);
-- 
MST

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 38/91] hw/cxl: Fix read from bogus memory, (continued)
- [PULL 38/91] hw/cxl: Fix read from bogus memory, Michael S. Tsirkin, 2024/07/02
- [PULL 34/91] pvpanic: Emit GUEST_PVSHUTDOWN QMP event on pvpanic shutdown signal, Michael S. Tsirkin, 2024/07/02
- [PULL 36/91] Revert "docs/specs/pvpanic: mark shutdown event as not implemented", Michael S. Tsirkin, 2024/07/02
- [PULL 40/91] vhost-user-test: don't set call fd -1 non-blocking, Michael S. Tsirkin, 2024/07/02
- [PULL 35/91] tests/qtest/pvpanic: add tests for pvshutdown event, Michael S. Tsirkin, 2024/07/02
- [PULL 39/91] virtio-pci: implement No_Soft_Reset bit, Michael S. Tsirkin, 2024/07/02
- [PULL 41/91] i386/apic: Add hint on boot failure because of disabling x2APIC, Michael S. Tsirkin, 2024/07/02
- [PULL 42/91] hw/virtio: Free vqs after vhost_dev_cleanup(), Michael S. Tsirkin, 2024/07/02
- [PULL 45/91] hw/net/virtio-net.c: fix crash in iov_copy(), Michael S. Tsirkin, 2024/07/02
- [PULL 44/91] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests, Michael S. Tsirkin, 2024/07/02
- [PULL 43/91] virtio-iommu: add error check before assert, Michael S. Tsirkin <=
- [PULL 47/91] libvhost-user: set msg.msg_control to NULL when it is empty, Michael S. Tsirkin, 2024/07/02
- [PULL 48/91] libvhost-user: fail vu_message_write() if sendmsg() is failing, Michael S. Tsirkin, 2024/07/02
- [PULL 46/91] qapi: clarify that the default is backend dependent, Michael S. Tsirkin, 2024/07/02
- [PULL 50/91] vhost-user-server: do not set memory fd non-blocking, Michael S. Tsirkin, 2024/07/02
- [PULL 49/91] libvhost-user: mask F_INFLIGHT_SHMFD if memfd is not supported, Michael S. Tsirkin, 2024/07/02
- [PULL 51/91] contrib/vhost-user-blk: fix bind() using the right size of the address, Michael S. Tsirkin, 2024/07/02
- [PULL 52/91] contrib/vhost-user-*: use QEMU bswap helper functions, Michael S. Tsirkin, 2024/07/02
- [PULL 54/91] libvhost-user: enable it on any POSIX system, Michael S. Tsirkin, 2024/07/02
- [PULL 55/91] contrib/vhost-user-blk: enable it on any POSIX system, Michael S. Tsirkin, 2024/07/02
- [PULL 53/91] vhost-user: enable frontends on any POSIX system, Michael S. Tsirkin, 2024/07/02

Prev by Date: [PULL 44/91] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests
Next by Date: [PULL 47/91] libvhost-user: set msg.msg_control to NULL when it is empty
Previous by thread: [PULL 44/91] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests
Next by thread: [PULL 47/91] libvhost-user: set msg.msg_control to NULL when it is empty
Index(es):
- Date
- Thread