[Qemu-devel] [PATCH] linux-user: check valid address in access_ok()

Rémi Denis-Courmont posted 1 patch 10 weeks ago
Test docker-mingw@fedora passed
Test asan passed
Test checkpatch passed
Test docker-clang@ubuntu failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20190208173520.15007-1-remi@remlab.net
linux-user/qemu.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

[Qemu-devel] [PATCH] linux-user: check valid address in access_ok()

Posted by Rémi Denis-Courmont 10 weeks ago
This works around the LTP crash, but there are problably better ways to
go about it.

Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
Cc: <lvivier@redhat.com>
---
 linux-user/qemu.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index ef400cb78a..1d222a0cce 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -457,7 +457,8 @@ extern unsigned long guest_stack_size;
 
 static inline int access_ok(int type, abi_ulong addr, abi_ulong size)
 {
-    return page_check_range((target_ulong)addr, size,
+    return guest_addr_valid(addr) && guest_addr_valid(addr + size) &&
+           page_check_range((target_ulong)addr, size,
                             (type == VERIFY_READ) ? PAGE_READ : (PAGE_READ | PAGE_WRITE)) == 0;
 }
 
-- 
2.20.1


Re: [Qemu-devel] [PATCH] linux-user: check valid address in access_ok()

Posted by Laurent Vivier 10 weeks ago
On 08/02/2019 18:35, Rémi Denis-Courmont wrote:
> This works around the LTP crash, but there are problably better ways to
> go about it.
> 
> Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
> Cc: <lvivier@redhat.com>
> ---
>  linux-user/qemu.h | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/linux-user/qemu.h b/linux-user/qemu.h
> index ef400cb78a..1d222a0cce 100644
> --- a/linux-user/qemu.h
> +++ b/linux-user/qemu.h
> @@ -457,7 +457,8 @@ extern unsigned long guest_stack_size;
>  
>  static inline int access_ok(int type, abi_ulong addr, abi_ulong size)
>  {
> -    return page_check_range((target_ulong)addr, size,
> +    return guest_addr_valid(addr) && guest_addr_valid(addr + size) &&

I think it should be guest_addr_valid(addr + size - 1).

Except that, it looks good.

Thanks,
Laurent

Re: [Qemu-devel] [PATCH] linux-user: check valid address in access_ok()

Posted by Laurent Vivier 9 weeks ago
On 08/02/2019 19:33, Laurent Vivier wrote:
> On 08/02/2019 18:35, Rémi Denis-Courmont wrote:
>> This works around the LTP crash, but there are problably better ways to
>> go about it.
>>
>> Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
>> Cc: <lvivier@redhat.com>
>> ---
>>  linux-user/qemu.h | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/linux-user/qemu.h b/linux-user/qemu.h
>> index ef400cb78a..1d222a0cce 100644
>> --- a/linux-user/qemu.h
>> +++ b/linux-user/qemu.h
>> @@ -457,7 +457,8 @@ extern unsigned long guest_stack_size;
>>  
>>  static inline int access_ok(int type, abi_ulong addr, abi_ulong size)
>>  {
>> -    return page_check_range((target_ulong)addr, size,
>> +    return guest_addr_valid(addr) && guest_addr_valid(addr + size) &&
> 
> I think it should be guest_addr_valid(addr + size - 1).

In fact (len == 0 || guest_addr_valid(addr + size - 1)).

Could you send a new version of your patch?

I've received several mail delivery system errors regarding your email
address remi@remlab.net.

Thanks,
Laurent


Re: [Qemu-devel] [PATCH] linux-user: check valid address in access_ok()

Posted by Remi Denis Courmont 9 weeks ago
Hi,

I don't think that len == 0 is a sufficient condition to eliminate integer overflow. It only ensures that size - 1 is a positive quantity.

________________________________________
De : Laurent Vivier [laurent@vivier.eu]
Envoyé : jeudi 14 février 2019 11:22
À : Rémi Denis-Courmont; qemu-devel@nongnu.org
Cc : Remi Denis Courmont
Objet : Re: [Qemu-devel] [PATCH] linux-user: check valid address in access_ok()

On 08/02/2019 19:33, Laurent Vivier wrote:
> On 08/02/2019 18:35, Rémi Denis-Courmont wrote:
>> This works around the LTP crash, but there are problably better ways to
>> go about it.
>>
>> Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
>> Cc: <lvivier@redhat.com>
>> ---
>>  linux-user/qemu.h | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/linux-user/qemu.h b/linux-user/qemu.h
>> index ef400cb78a..1d222a0cce 100644
>> --- a/linux-user/qemu.h
>> +++ b/linux-user/qemu.h
>> @@ -457,7 +457,8 @@ extern unsigned long guest_stack_size;
>>
>>  static inline int access_ok(int type, abi_ulong addr, abi_ulong size)
>>  {
>> -    return page_check_range((target_ulong)addr, size,
>> +    return guest_addr_valid(addr) && guest_addr_valid(addr + size) &&
>
> I think it should be guest_addr_valid(addr + size - 1).

In fact (len == 0 || guest_addr_valid(addr + size - 1)).

Could you send a new version of your patch?

I've received several mail delivery system errors regarding your email
address remi@remlab.net.

Thanks,
Laurent