qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5] sev: add sev-inject-launch-secret

From: Eduardo Habkost
Subject: Re: [PATCH v5] sev: add sev-inject-launch-secret
Date: Tue, 20 Oct 2020 09:54:44 -0400 
On Tue, Oct 20, 2020 at 11:03:51AM +0200, Paolo Bonzini wrote:
> On 15/10/20 16:37, tobin@linux.ibm.com wrote:
> > -static void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, Error **errp)
> > +void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error 
> > **errp)
> >  {
> >      MemoryRegionSection mrs = memory_region_find(get_system_memory(),
> > -                                                 addr, 1);
> > +                                                 addr, size);
> 
> You need to check size against mrs.size and fail if mrs.size is smaller.
>  Otherwise, the ioctl can access memory out of range.

Good catch!  I'm dequeuing it.

Is there a reason memory_region_find() doesn't ensure that by
default?

It looks like there's only one memory_region_find() call in the
code that doesn't expect the returned section to contain the
entire range (at platform_bus_map_mmio()).  All the remaining
memory_region_find() calls either have size==1 (so it doesn't
matter) or have an extra check for MemoryRegionSection.size.

The call at virtio_balloon_handle_output() looks suspicious,
though, because it looks for a BALLOON_PAGE_SIZE range, but
there's no check for the returned section size.

-- 
Eduardo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]