[PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory

From:	Michael Roth
Subject:	[PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
Date:	Thu, 3 Sep 2020 15:58:47 -0500

From: "Michael S. Tsirkin" <mst@redhat.com>

Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.

This is what devices seem to assume.

However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.

Naturally, this breaks a bunch of devices.

Revert to the documented behaviour.

Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.

Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in 
memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200610134731.1514409-1-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 memory.c | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/memory.c b/memory.c
index 601b749906..e31aed6446 100644
--- a/memory.c
+++ b/memory.c
@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
                                 bool is_write,
                                 MemTxAttrs attrs)
 {
-    int access_size_min, access_size_max;
-    int access_size, i;
-
-    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+    if (mr->ops->valid.accepts
+        && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
         return false;
     }
 
-    if (!mr->ops->valid.accepts) {
-        return true;
-    }
-
-    access_size_min = mr->ops->valid.min_access_size;
-    if (!mr->ops->valid.min_access_size) {
-        access_size_min = 1;
+    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+        return false;
     }
 
-    access_size_max = mr->ops->valid.max_access_size;
+    /* Treat zero as compatibility all valid */
     if (!mr->ops->valid.max_access_size) {
-        access_size_max = 4;
+        return true;
     }
 
-    access_size = MAX(MIN(size, access_size_max), access_size_min);
-    for (i = 0; i < size; i += access_size) {
-        if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
-                                    is_write, attrs)) {
-            return false;
-        }
+    if (size > mr->ops->valid.max_access_size
+        || size < mr->ops->valid.min_access_size) {
+        return false;
     }
-
     return true;
 }
 
-- 
2.17.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 20/77] virtiofsd: add --rlimit-nofile=NUM option, (continued)
- [PATCH 20/77] virtiofsd: add --rlimit-nofile=NUM option, Michael Roth, 2020/09/03
- [PATCH 01/77] hostmem: don't use mbind() if host-nodes is empty, Michael Roth, 2020/09/03
- [PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717), Michael Roth, 2020/09/03
- [PATCH 23/77] KVM: x86: believe what KVM says about WAITPKG, Michael Roth, 2020/09/03
- [PATCH 22/77] net: use peer when purging queue in qemu_flush_or_purge_queue_packets(), Michael Roth, 2020/09/03
- [PATCH 24/77] aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy(), Michael Roth, 2020/09/03
- [PATCH 25/77] aio-posix: disable fdmon-io_uring when GSource is used, Michael Roth, 2020/09/03
- [PATCH 26/77] linux-user/strace.list: fix epoll_create{, 1} -strace output, Michael Roth, 2020/09/03
- [PATCH 28/77] libqos: pci-pc: use 32-bit write for EJ register, Michael Roth, 2020/09/03
- [PATCH 27/77] libqos: usb-hcd-ehci: use 32-bit write for config register, Michael Roth, 2020/09/03
- [PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid", Michael Roth <=
- [PATCH 02/77] target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*, Michael Roth, 2020/09/03
- [PATCH 32/77] acpi: accept byte and word access to core ACPI registers, Michael Roth, 2020/09/03
- [PATCH 31/77] xhci: fix valid.max_access_size to access address registers, Michael Roth, 2020/09/03
- [PATCH 34/77] hw/net/e1000e: Do not abort() on invalid PSRCTL register value, Michael Roth, 2020/09/03
- [PATCH 40/77] nbd: Avoid off-by-one in long export name truncation, Michael Roth, 2020/09/03
- [PATCH 33/77] hw/display/artist: Unbreak size mismatch memory accesses, Michael Roth, 2020/09/03
- [PATCH 39/77] usb/dev-mtp: Fix Error double free after inotify failure, Michael Roth, 2020/09/03
- [PATCH 03/77] qemu-nbd: Close inherited stderr, Michael Roth, 2020/09/03
- [PATCH 30/77] hw/riscv: Allow 64 bit access to SiFive CLINT, Michael Roth, 2020/09/03
- [PATCH 35/77] virtiofsd: Whitelist fchmod, Michael Roth, 2020/09/03

Prev by Date: [PATCH 27/77] libqos: usb-hcd-ehci: use 32-bit write for config register
Next by Date: [PATCH 02/77] target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*
Previous by thread: [PATCH 27/77] libqos: usb-hcd-ehci: use 32-bit write for config register
Next by thread: [PATCH 02/77] target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*
Index(es):
- Date
- Thread