From nobody Sun May 19 04:34:52 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=nutanix.com
ARC-Seal: i=1; a=rsa-sha256; t=1594959734; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SEmTvOoBmejkdTLukXczGRQv1hD0bOy3TGTJZyHSV9olT/aTRJY5JdJQGK5Q+wB+NyYxV+k4GVYbwevKu+usiw5r9shPpmRsPY8xenFc3ToQGc7BkgG2M7v+0nhZB2YEVAKBU0EmuG68U7/HutnBsk4E/kmTAkTOK8LDew+6Cjw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1594959734;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To;
	bh=n2XHF9IAzaoZOCZL7/AZ7k2Y/YwG4AIDrh2Fz46ecUw=;
	b=QXkuSWfO+Tsb3XwM6kmhX5be50ezctQTzU8T4BXN9TeUEIP4gaubyog3p3vGbjdXK/NCKVYaQOHYEFlr6sM9jiMkgMSIMoOqxDTSjB63D762Kjgc56OZpxInYCqMYK5VNQG3XYDm6s8buU5vV0coKlgzv0YGzXMt0mgPbAE9Afw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<raphael.norwitz@nutanix.com> (p=none dis=none)
 header.from=<raphael.norwitz@nutanix.com>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1594959734538304.3482712912097;
 Thu, 16 Jul 2020 21:22:14 -0700 (PDT)
Received: from localhost ([::1]:59092 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1jwHsy-0000A6-Bx
	for importer@patchew.org; Fri, 17 Jul 2020 00:22:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40074)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1)
 (envelope-from <bounces+16159052-3d09-qemu-devel=nongnu.org@sendgrid.net>)
 id 1jwHsO-0008B4-FA
 for qemu-devel@nongnu.org; Fri, 17 Jul 2020 00:21:36 -0400
Received: from o1.dev.nutanix.com ([198.21.4.205]:61086)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1)
 (envelope-from <bounces+16159052-3d09-qemu-devel=nongnu.org@sendgrid.net>)
 id 1jwHsL-0007U6-9Z
 for qemu-devel@nongnu.org; Fri, 17 Jul 2020 00:21:36 -0400
Received: by filterdrecv-p3mdw1-75c584b9c6-qxmj9 with SMTP id
 filterdrecv-p3mdw1-75c584b9c6-qxmj9-18-5F11274A-2F
 2020-07-17 04:21:30.945048284 +0000 UTC m=+1768314.500731978
Received: from localhost.localdomain.com (unknown)
 by ismtpd0004p1sjc2.sendgrid.net (SG) with ESMTP
 id iigHLbBXTmeIT48_lZ1Nlg Fri, 17 Jul 2020 04:21:30.605 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
 h=from:subject:to:cc:content-type:content-transfer-encoding;
 s=smtpapi; bh=n2XHF9IAzaoZOCZL7/AZ7k2Y/YwG4AIDrh2Fz46ecUw=;
 b=jqqi6EKG75C8Iel2Y7bWJUv8mWoGmsMk2lIPRUe5+PMk38lRaL/ENRDnFB+TvMd63nar
 KwlKuL1etmxHShe3bSMsoUJrfb2TF+kGpCCJqAeVEbhU9nzwbtBsFcKYSj/ph/egUEGrNJ
 P1/qV5gb3aWOTzfSjVz3ob58YjXSPszrs=
From: Raphael Norwitz <raphael.norwitz@nutanix.com>
Subject: [PATCH] Fix vhost-user buffer over-read on ram hot-unplug
Date: Fri, 17 Jul 2020 04:21:30 +0000 (UTC)
Message-Id: <1594799958-31356-1-git-send-email-raphael.norwitz@nutanix.com>
X-Mailer: git-send-email 1.8.3.1
X-SG-EID: 
 =?us-ascii?Q?YCLURHX+pjNDm1i7d69iKyMnQi=2FdvWah9veFa8nllaoUC0ScIWrCgiaWGu43Vg?=
 =?us-ascii?Q?xFdB4istXUBpN9H93OJgc8zcpxOIOngOxJjXA3i?=
 =?us-ascii?Q?pN71ZbxZPfO78Id=2FFbP+jiXD=2F=2F0+OSsDL240shO?=
 =?us-ascii?Q?5HXoUE3i7rKsbgfTSATvYbuXc8qywTvPh37Our=2F?=
 =?us-ascii?Q?DMCZKSLDADrRBBjd=2FZI=2F8qRFwu9HXdmo3mm5FRS?=
 =?us-ascii?Q?xAWA+TPtdw9MEXkpWVLkm9zp87DXbys=2F1pHGQI8?=
 =?us-ascii?Q?FBzMest4E1PcGHifAKQcw=3D=3D?=
To: qemu-devel@nongnu.org, marcandre.lureau@redhat.com, mst@redhat.com
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=198.21.4.205;
 envelope-from=bounces+16159052-3d09-qemu-devel=nongnu.org@sendgrid.net;
 helo=o1.dev.nutanix.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/17 00:21:31
X-ACL-Warn: Detected OS   = Linux 3.11 and newer [fuzzy]
X-Spam_score_int: -29
X-Spam_score: -3.0
X-Spam_bar: ---
X-Spam_report: (-3.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-1,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1,
 HEADER_FROM_DIFFERENT_DOMAINS=1, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Turschmid <peter.turschm@nutanix.com>,
 Raphael Norwitz <raphael.norwitz@nutanix.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

The VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS vhost-user protocol
feature introduced a shadow-table, used by the backend to dynamically
determine how a vdev's memory regions have changed since the last
vhost_user_set_mem_table() call. On hot-remove, a memmove() operation
is used to overwrite the removed shadow region descriptor(s). The size
parameter of this memmove was off by 1 such that if a VM with a backend
supporting the VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS filled it's
shadow-table (by performing the maximum number of supported hot-add
operatons) and attempted to remove the last region, Qemu would read an
out of bounds value and potentially crash.

This change fixes the memmove() bounds such that this erroneous read can
never happen.

Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
---
 hw/virtio/vhost-user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 3123121..d7e2423 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -672,7 +672,7 @@ static int send_remove_regions(struct vhost_dev *dev,
         memmove(&u->shadow_regions[shadow_reg_idx],
                 &u->shadow_regions[shadow_reg_idx + 1],
                 sizeof(struct vhost_memory_region) *
-                (u->num_shadow_regions - shadow_reg_idx));
+                (u->num_shadow_regions - shadow_reg_idx - 1));
         u->num_shadow_regions--;
     }
=20
--=20
1.8.3.1