From nobody Fri Oct 25 19:36:34 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1718257849; cv=none; d=zohomail.com; s=zohoarc; b=aXflL4fDt4KwMRZeT2Ra8Yxvm+3iEZFkkiH0OFrMSRRyUz3wUnR/G7E2YHLwzLRwoQC4AqX6k/1rXcd3LjuWpmXIl4+iaGa0iF9mM4Bg1RyrXZ542WlJD/c2R+ztWTWRcdqEaPn85XauMr2NYX/zJ6NtZ1jRFQO7RQlycKML4ao= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1718257849; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1Pke5SnVgSyp7kc2reUGj589dsJKNLncqYWR1n+SCgo=; b=Km+VJSPqeTf1itKQIA1Ejcsn4gbKoNqtLMpsYu2Vpx8zuj++X7nbcjnLoYDaFqa2n4pix07ZHokcBS4fTSwKkh6/e96RwG51gJdpzGxU2MQmojxts0BTSypaoyHzGIBdZO79wMQpZYZiEwzT9kZVD3dLbkkLeuuByFkdMf6HExk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1718257849669971.8298937066439; Wed, 12 Jun 2024 22:50:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sHdLI-0007vS-IM; Thu, 13 Jun 2024 01:49:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sHdLG-0007vK-Fx for qemu-devel@nongnu.org; Thu, 13 Jun 2024 01:49:46 -0400 Received: from mail-wm1-x32b.google.com ([2a00:1450:4864:20::32b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sHdLE-0000uS-Hm for qemu-devel@nongnu.org; Thu, 13 Jun 2024 01:49:46 -0400 Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-4217c7eb6b4so6893915e9.2 for ; Wed, 12 Jun 2024 22:49:43 -0700 (PDT) Received: from localhost.localdomain (adsl-105.37.6.1.tellas.gr. [37.6.1.105]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-422874de68asm48632175e9.29.2024.06.12.22.49.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Jun 2024 22:49:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718257781; x=1718862581; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1Pke5SnVgSyp7kc2reUGj589dsJKNLncqYWR1n+SCgo=; b=RSSDhc3GjnokU/Qyz/PXSRMMX8TIXDgSzdVKs79XLMtod32Fdmkl8jTdx5SGE2fyxW rocLHRTENs56hHNzF7nfoQJfV7Ek9j8PJf/SbhdbuTJ9O/3zIr70F9u++CQJOj4owWbQ XH27cQ2KLoxhTmDhKVQDYNpV0qErScuEfakKFjslCksWyrlgHZwjOtZPaJTjfPQiL6rZ Znl7eg1aaNqFsG31IgI4LIwtHSWOAXCcQ86pHNILhpJE6/9gpbUARwxcA0W6XPntUWRt 7sosq1s/DRHkUmBz3XyOxoeWO3mDsvXsaHdICJm9juPNEhJmYxCl+c6S7+E50cxHebxH HE0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718257781; x=1718862581; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1Pke5SnVgSyp7kc2reUGj589dsJKNLncqYWR1n+SCgo=; b=pZpN8M+zeoOZquR7/dK6+Ipu8XWDhhSOfsLOrVxfc8Ca785rZ72OnzW54Upwk/jx+K mTFGE3IgZTVqxskG6E+jFxgyWw+vkO24JqwPPmMWOY1XnloOAPQDsXTenjE1krgaW7aV SVjI8fTWcp7FP6RqIBqwoUXa6b5ePNVcTU0YqxWfwVg6ipjPvjPhRDjLgPB6NVL6JT/R ClSwbBoLYFWJD049dZ+/mdx1pONPu2BTZu+LZmN8SnSWWCc9UJOGMYlkBSd8yMSunf8e S/MdVYfUIJbLNS/XOKmCSa2M1TvsbtSbT+t4PzdnKWdPCHSwKmobga/Q608ta10q3vvG xhBA== X-Gm-Message-State: AOJu0YzD7hqFxUdnFetHM9FCvHps0vN128s0SB+fhPWMf7NOD+DBBQGI GrpyBP9HA/PjgOS2s0dMF98GHb/mWC4ulAhKRHFlDJjpK+Urb2eETTxq4Nm6PyCkEHYGFPZ6Ypw ztVU= X-Google-Smtp-Source: AGHT+IHkorExO8QBf+zR+i6G4MUmZk2OwPv2XU8J4n9+uF1nm5mt4yedbFzzyup29H6+8t01IHeGTg== X-Received: by 2002:a05:600c:5487:b0:422:1a82:3ebf with SMTP id 5b1f17b1804b1-422867bec26mr35385055e9.35.1718257780857; Wed, 12 Jun 2024 22:49:40 -0700 (PDT) From: Manos Pitsidianakis To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Alex=20Benn=C3=A9e?= , Zheyu Ma , "Michael S. Tsirkin" , Eric Auger , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH v2] virtio-iommu: add error check before assert Date: Thu, 13 Jun 2024 08:49:12 +0300 Message-ID: <20240613-fuzz-2359-fix-v2-manos.pitsidianakis@linaro.org> X-Mailer: git-send-email 2.44.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::32b; envelope-from=manos.pitsidianakis@linaro.org; helo=mail-wm1-x32b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1718257850328100001 Content-Type: text/plain; charset="utf-8" A fuzzer case discovered by Zheyu Ma causes an assert failure. Add a check before the assert, and respond with an error before moving on to the next queue element. To reproduce the failure: cat << EOF | \ qemu-system-x86_64 \ -display none -machine accel=3Dqtest -m 512M -machine q35 -nodefaults \ -device virtio-iommu -qtest stdio outl 0xcf8 0x80000804 outw 0xcfc 0x06 outl 0xcf8 0x80000820 outl 0xcfc 0xe0004000 write 0x10000e 0x1 0x01 write 0xe0004020 0x4 0x00001000 write 0xe0004028 0x4 0x00101000 write 0xe000401c 0x1 0x01 write 0x106000 0x1 0x05 write 0x100001 0x1 0x60 write 0x100002 0x1 0x10 write 0x100009 0x1 0x04 write 0x10000c 0x1 0x01 write 0x100018 0x1 0x04 write 0x10001c 0x1 0x02 write 0x101003 0x1 0x01 write 0xe0007001 0x1 0x00 EOF Reported-by: Zheyu Ma Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2359 Signed-off-by: Manos Pitsidianakis --- Range-diff against v1: 1: a665c6e73d ! 1: 8e50c1b00e virtio-iommu: add error check before assert @@ Commit message =20 ## hw/virtio/virtio-iommu.c ## @@ hw/virtio/virtio-iommu.c: static void virtio_iommu_handle_command(V= irtIODevice *vdev, VirtQueue *vq) + iov =3D elem->out_sg; + sz =3D iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head)); + if (unlikely(sz !=3D sizeof(head))) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "%s: read %zu bytes from command head" ++ "but expected %zu\n", __func__, sz, sizeof(= head)); + tail.status =3D VIRTIO_IOMMU_S_DEVERR; + goto out; + } +@@ hw/virtio/virtio-iommu.c: static void virtio_iommu_handle_command(V= irtIODevice *vdev, VirtQueue *vq) out: sz =3D iov_from_buf(elem->in_sg, elem->in_num, 0, buf ? buf : &tail, output_size); + if (unlikely(sz !=3D output_size)) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "%s: wrote %zu bytes to command response" ++ "but response size is %zu\n", ++ __func__, sz, output_size); + tail.status =3D VIRTIO_IOMMU_S_DEVERR; -+ /* We checked that tail can fit earlier */ ++ /* ++ * We checked that sizeof(tail) can fit to elem->in_sg at= the ++ * beginning of the loop ++ */ + output_size =3D sizeof(tail); + g_free(buf); + buf =3D NULL; hw/virtio/virtio-iommu.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c index 1326c6ec41..9d801fb180 100644 --- a/hw/virtio/virtio-iommu.c +++ b/hw/virtio/virtio-iommu.c @@ -782,6 +782,9 @@ static void virtio_iommu_handle_command(VirtIODevice *v= dev, VirtQueue *vq) iov =3D elem->out_sg; sz =3D iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head)); if (unlikely(sz !=3D sizeof(head))) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: read %zu bytes from command head" + "but expected %zu\n", __func__, sz, sizeof(head)= ); tail.status =3D VIRTIO_IOMMU_S_DEVERR; goto out; } @@ -818,6 +821,25 @@ static void virtio_iommu_handle_command(VirtIODevice *= vdev, VirtQueue *vq) out: sz =3D iov_from_buf(elem->in_sg, elem->in_num, 0, buf ? buf : &tail, output_size); + if (unlikely(sz !=3D output_size)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: wrote %zu bytes to command response" + "but response size is %zu\n", + __func__, sz, output_size); + tail.status =3D VIRTIO_IOMMU_S_DEVERR; + /* + * We checked that sizeof(tail) can fit to elem->in_sg at the + * beginning of the loop + */ + output_size =3D sizeof(tail); + g_free(buf); + buf =3D NULL; + sz =3D iov_from_buf(elem->in_sg, + elem->in_num, + 0, + &tail, + output_size); + } assert(sz =3D=3D output_size); =20 virtqueue_push(vq, elem, sz); base-commit: f3e8cc47de2bc537d4991e883a85208e4e1c0f98 --=20 =CE=B3=CE=B1=E1=BF=96=CE=B1 =CF=80=CF=85=CF=81=CE=AF =CE=BC=CE=B9=CF=87=CE= =B8=CE=AE=CF=84=CF=89