[PULL v3 43/85] virtio-iommu: add error check before assert

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL v3 43/85] virtio-iommu: add error check before assert

From:	Michael S. Tsirkin
Subject:	[PULL v3 43/85] virtio-iommu: add error check before assert
Date:	Wed, 3 Jul 2024 18:47:36 -0400

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

A fuzzer case discovered by Zheyu Ma causes an assert failure.

Add a check before the assert, and respond with an error before moving
on to the next queue element.

To reproduce the failure:

cat << EOF | \
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -machine q35 -nodefaults \
-device virtio-iommu -qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0x06
outl 0xcf8 0x80000820
outl 0xcfc 0xe0004000
write 0x10000e 0x1 0x01
write 0xe0004020 0x4 0x00001000
write 0xe0004028 0x4 0x00101000
write 0xe000401c 0x1 0x01
write 0x106000 0x1 0x05
write 0x100001 0x1 0x60
write 0x100002 0x1 0x10
write 0x100009 0x1 0x04
write 0x10000c 0x1 0x01
write 0x100018 0x1 0x04
write 0x10001c 0x1 0x02
write 0x101003 0x1 0x01
write 0xe0007001 0x1 0x00
EOF

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2359
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20240613-fuzz-2359-fix-v2-manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/virtio/virtio-iommu.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index b9a7ddcd14..ed7426afc7 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -974,6 +974,9 @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, 
VirtQueue *vq)
         iov = elem->out_sg;
         sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
         if (unlikely(sz != sizeof(head))) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: read %zu bytes from command head"
+                          "but expected %zu\n", __func__, sz, sizeof(head));
             tail.status = VIRTIO_IOMMU_S_DEVERR;
             goto out;
         }
@@ -1010,6 +1013,25 @@ static void virtio_iommu_handle_command(VirtIODevice 
*vdev, VirtQueue *vq)
 out:
         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
                           buf ? buf : &tail, output_size);
+        if (unlikely(sz != output_size)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: wrote %zu bytes to command response"
+                          "but response size is %zu\n",
+                          __func__, sz, output_size);
+            tail.status = VIRTIO_IOMMU_S_DEVERR;
+            /*
+             * We checked that sizeof(tail) can fit to elem->in_sg at the
+             * beginning of the loop
+             */
+            output_size = sizeof(tail);
+            g_free(buf);
+            buf = NULL;
+            sz = iov_from_buf(elem->in_sg,
+                              elem->in_num,
+                              0,
+                              &tail,
+                              output_size);
+        }
         assert(sz == output_size);
 
         virtqueue_push(vq, elem, sz);
-- 
MST

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL v3 33/85] hw/misc/pvpanic: add support for normal shutdowns, (continued)
- [PULL v3 33/85] hw/misc/pvpanic: add support for normal shutdowns, Michael S. Tsirkin, 2024/07/03
- [PULL v3 35/85] tests/qtest/pvpanic: add tests for pvshutdown event, Michael S. Tsirkin, 2024/07/03
- [PULL v3 34/85] pvpanic: Emit GUEST_PVSHUTDOWN QMP event on pvpanic shutdown signal, Michael S. Tsirkin, 2024/07/03
- [PULL v3 36/85] Revert "docs/specs/pvpanic: mark shutdown event as not implemented", Michael S. Tsirkin, 2024/07/03
- [PULL v3 37/85] virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 38/85] hw/cxl: Fix read from bogus memory, Michael S. Tsirkin, 2024/07/03
- [PULL v3 39/85] virtio-pci: implement No_Soft_Reset bit, Michael S. Tsirkin, 2024/07/03
- [PULL v3 40/85] vhost-user-test: no set non-blocking for cal fd less than 0., Michael S. Tsirkin, 2024/07/03
- [PULL v3 41/85] i386/apic: Add hint on boot failure because of disabling x2APIC, Michael S. Tsirkin, 2024/07/03
- [PULL v3 42/85] hw/virtio: Free vqs after vhost_dev_cleanup(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 43/85] virtio-iommu: add error check before assert, Michael S. Tsirkin <=
- [PULL v3 44/85] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests, Michael S. Tsirkin, 2024/07/03
- [PULL v3 45/85] hw/net/virtio-net.c: fix crash in iov_copy(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 46/85] qapi: clarify that the default is backend dependent, Michael S. Tsirkin, 2024/07/03
- [PULL v3 47/85] libvhost-user: set msg.msg_control to NULL when it is empty, Michael S. Tsirkin, 2024/07/03
- [PULL v3 48/85] libvhost-user: fail vu_message_write() if sendmsg() is failing, Michael S. Tsirkin, 2024/07/03
- [PULL v3 49/85] libvhost-user: mask F_INFLIGHT_SHMFD if memfd is not supported, Michael S. Tsirkin, 2024/07/03
- [PULL v3 50/85] vhost-user-server: do not set memory fd non-blocking, Michael S. Tsirkin, 2024/07/03
- [PULL v3 51/85] contrib/vhost-user-blk: fix bind() using the right size of the address, Michael S. Tsirkin, 2024/07/03
- [PULL v3 53/85] hostmem: add a new memory backend based on POSIX shm_open(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 52/85] contrib/vhost-user-*: use QEMU bswap helper functions, Michael S. Tsirkin, 2024/07/03

Prev by Date: [PULL v3 42/85] hw/virtio: Free vqs after vhost_dev_cleanup()
Next by Date: [PULL v3 44/85] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests
Previous by thread: [PULL v3 42/85] hw/virtio: Free vqs after vhost_dev_cleanup()
Next by thread: [PULL v3 44/85] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests
Index(es):
- Date
- Thread