From nobody Sun Feb 8 23:05:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1595858016; cv=none; d=zohomail.com; s=zohoarc; b=cXTJbXe3PC23ZUh28/S+lxLOLT/QJbwS5BrWTXC25Pufp64dQOD6ZDkfzay/hakXqPuDy6ScnYGtr5aDehy3RPpaiVAoCLYzc/xakzryHh6JlcvlLpHxWsirUm6ZKzDH2cI+jrGJOxdI/q5e8D2p1uwF9QQEKqzUdiT3BgULsxg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1595858016; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2bb6OtX/LD4ZX58mGeq2eGBkZlXvZDtQoKpqNCcHDcU=; b=NBMkPm0PgLkgVvh2kF5sagw1Q9Nb/ZrsGdEKTgrZLPo8TmwQkMCMFLWn1zDa3xTfv5sY1BSlHuue3JZv+N/WufXf/yHZQ9uDX7mhWR68pw5CzZRK+SB2Of6ZgwvYl5AVMAWkdKdLP5RdNIOHvh4FTL23ysgsX8m17AyRoYh1P4w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1595858016578164.42486129118868; Mon, 27 Jul 2020 06:53:36 -0700 (PDT) Received: from localhost ([::1]:37898 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k03ZP-0002jX-AU for importer@patchew.org; Mon, 27 Jul 2020 09:53:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33982) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k03Vq-0005U9-DA for qemu-devel@nongnu.org; Mon, 27 Jul 2020 09:49:54 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:58693 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1k03Vo-0001wN-KJ for qemu-devel@nongnu.org; Mon, 27 Jul 2020 09:49:54 -0400 Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-40-Dd-KUaD3Ncesp6VF0v6SXQ-1; Mon, 27 Jul 2020 09:49:50 -0400 Received: by mail-wr1-f70.google.com with SMTP id w1so1938234wro.4 for ; Mon, 27 Jul 2020 06:49:49 -0700 (PDT) Received: from redhat.com ([192.117.173.58]) by smtp.gmail.com with ESMTPSA id 32sm12283552wrn.86.2020.07.27.06.49.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Jul 2020 06:49:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595857792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2bb6OtX/LD4ZX58mGeq2eGBkZlXvZDtQoKpqNCcHDcU=; b=KLCvmUxA8pvPEU50bvWzM1f6RgxhbfUSS4h9clFDKx0E+LpRLK+FDpoQZmTYxi07XlXanj 9cNb+NQr6f1AneU9LIVfG+20qVS3ncxHUmOSwizAZtuk/+53waV+KtWNFeZdtiOxADQgl3 d2s8cAzQVGUglCF3sQE+e/oqUWclvdU= X-MC-Unique: Dd-KUaD3Ncesp6VF0v6SXQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=2bb6OtX/LD4ZX58mGeq2eGBkZlXvZDtQoKpqNCcHDcU=; b=QgErNLfwF/g11kCFUoEEKAKKwUxG2TUQKxxGcNjY1G9pChBmhEpnMi3JjODqvNCpg0 ziA2K40IoD11JDMfYVlh9Hgr6aDv3hG1TbyCtWRq2PzCWmFR+8NwLb84Q8mxkXNHrJHh 7Q81h4bPl7mzLkLI9fDl416IvdoSopeg2ZtzVVYeVblwEgtm9sTzjp2h7z/5fSWyB2jT j76uUUtcnvM33ZSJbC/YMhuAHZKYzEQrg10EG7KH2hubXLc//W1D3h6mC3CRyeQ2qGE1 cV/uCM/vuLJZvyjpkx+3gRCNjei4zQ12pQFQmgZg03myg+mFbABdo2CdUgb2yoLeHFMz eKuQ== X-Gm-Message-State: AOAM530K5gP2BrZlxJdenb+O6WdBhXDL2licRseBZONkC6nKjCqCpqxH 9lqq3nO8FBjqnEbQ7szFstE015f7tqGkGuImgUmT+w4x1sL8Wq0OHRjllVtpWBnQh847wJH2GfJ ToLJVdZqzS9uGVwk= X-Received: by 2002:a7b:c205:: with SMTP id x5mr21975195wmi.161.1595857787737; Mon, 27 Jul 2020 06:49:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyc0bxZIVZdfd15jK1aD0TSqhIErH70IAF/kCvzhu9EUpS5F5h75F08gfobn/wRL4DKmLbSUg== X-Received: by 2002:a7b:c205:: with SMTP id x5mr21975179wmi.161.1595857787498; Mon, 27 Jul 2020 06:49:47 -0700 (PDT) Date: Mon, 27 Jul 2020 09:49:39 -0400 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Subject: [PULL 4/7] Fix vhost-user buffer over-read on ram hot-unplug Message-ID: <20200727134614.96376-5-mst@redhat.com> References: <20200727134614.96376-1-mst@redhat.com> MIME-Version: 1.0 In-Reply-To: <20200727134614.96376-1-mst@redhat.com> X-Mailer: git-send-email 2.27.0.106.g8ac3dc51b1 X-Mutt-Fcc: =sent Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mst@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.120; envelope-from=mst@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/27 01:44:14 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -40 X-Spam_score: -4.1 X-Spam_bar: ---- X-Spam_report: (-4.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , =?utf-8?Q?Marc-Andr=C3=A9?= Lureau , qemu-stable@nongnu.org, Peter Turschmid , Raphael Norwitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) From: Raphael Norwitz The VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS vhost-user protocol feature introduced a shadow-table, used by the backend to dynamically determine how a vdev's memory regions have changed since the last vhost_user_set_mem_table() call. On hot-remove, a memmove() operation is used to overwrite the removed shadow region descriptor(s). The size parameter of this memmove was off by 1 such that if a VM with a backend supporting the VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS filled it's shadow-table (by performing the maximum number of supported hot-add operatons) and attempted to remove the last region, Qemu would read an out of bounds value and potentially crash. This change fixes the memmove() bounds such that this erroneous read can never happen. Signed-off-by: Peter Turschmid Signed-off-by: Raphael Norwitz Message-Id: <1594799958-31356-1-git-send-email-raphael.norwitz@nutanix.com> Fixes: f1aeb14b0809 ("Transmit vhost-user memory regions individually") Reviewed-by: Marc-Andr=C3=A9 Lureau Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/virtio/vhost-user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index 31231218dc..d7e2423762 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -672,7 +672,7 @@ static int send_remove_regions(struct vhost_dev *dev, memmove(&u->shadow_regions[shadow_reg_idx], &u->shadow_regions[shadow_reg_idx + 1], sizeof(struct vhost_memory_region) * - (u->num_shadow_regions - shadow_reg_idx)); + (u->num_shadow_regions - shadow_reg_idx - 1)); u->num_shadow_regions--; } =20 --=20 MST