From nobody Sat Nov 29 10:17:27 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1764202452; cv=none; d=zohomail.com; s=zohoarc; b=T9rNSSrtCyT9bP6bnCAmiX7cdnt3CY6RNLRAp/uJh6ehiVn+NxcLGS1Xon8zcqd+PO3hiLltMLlg38XUQGceYHnY2esTjpez7+nmpLe5cMTpuIxUu23EOnjoGos6wJUHOaM2jyPTDeNjakPZ8MXfmra6gAAP4WW0NQ8XFGXQ9gI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764202452; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=LeSHcCma73ddYicqojpjXZ31wT8UUBvPT9dLg7HewLA=; b=CSlrNUN5tPaaHXua1MQEroTo2cKZ3K5H4JoyjSFnJMlXQ2gpf/h1/ohRuGnApJLbpmvCB0rYizqxO6EEZ8Qt9W/fLyvy8N2y9DrtbZD9cdeXE4Bpidcg0rmcWE0ZHcdl9zOxWnMcJkgJamk9mH3ugLk4pWIlMU332A7G0ub+GGU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1764202452321463.4734423335839; Wed, 26 Nov 2025 16:14:12 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vOPd6-0002lA-0K; Wed, 26 Nov 2025 19:13:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3hZcnaQcKCqIPCXKFGOIQQING.EQOSGOW-FGXGNPQPIPW.QTI@flex--navidem.bounces.google.com>) id 1vOPd4-0002kV-Ff for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:12:58 -0500 Received: from mail-pl1-x649.google.com ([2607:f8b0:4864:20::649]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3hZcnaQcKCqIPCXKFGOIQQING.EQOSGOW-FGXGNPQPIPW.QTI@flex--navidem.bounces.google.com>) id 1vOPd2-0005yf-Mi for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:12:58 -0500 Received: by mail-pl1-x649.google.com with SMTP id d9443c01a7336-2958a134514so3874975ad.2 for ; Wed, 26 Nov 2025 16:12:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764202374; x=1764807174; darn=nongnu.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=LeSHcCma73ddYicqojpjXZ31wT8UUBvPT9dLg7HewLA=; b=jmEFVLlD8MMrer1J3HUXticKTG6e4/hfav1M5ChJqlma15wFtuq8vBzn8FrCwra2AY OXbbYD91+0+ULWwqbY62mdlcJ8ty/eQ9z5HFKK7+RhGMiR4dWS2QW21nu/PUSg9djZoW twnYwXanir+vd/6OA56huRmHs6B20AA+kEPyjueri/iIXvJE57DCfF1SI7/21ulKJwd7 I2rugnyNxzrT5M6OMZa4yZ2/S7WcVZHDsWnP/6PZEcS2miglOxwkhCtU81U6l3jOmOQv Qvb7CyGMwWDR38rJmN3pW1L2huPrLSsQV4F9xv/oB8080EvOYbUtm9IzUrJ6uupEHt8B 07rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764202374; x=1764807174; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LeSHcCma73ddYicqojpjXZ31wT8UUBvPT9dLg7HewLA=; b=D06ZNwoCoCl5rv1FhmWA274DNxS4o6DByXSFSxJ6ue+cYoSrPXEnRy5Em0C+VXOtf6 OzDNSYGBNUcR2Glue7GNRnSfYY0bVo7Zi31Ij0mVwsiARW0G+wke1C9/yeygNEMyUVvQ 6oMM1Pci5Qv0a7YB+PWQXxGgSHa/Kk+ttvqb1mS8AMu6Dsr3ugLQJ4GaSnY2XNI6t7eE g/orN+zD/nSFBGDKJbp6fQhpirC7bGjZ4lLBClWr8IzUBhqyElllBoT5hsi7i7VM1pwH lApADHrzdE3P1ShmcSgl44ntwuzfF0jx9QT8Ko9Z5fk9smHJtOLFbaAEb6mk/S8vxn8n CwJA== X-Gm-Message-State: AOJu0YxAMuXCWqTIEVpkz+mT2Q7gDp3NsmC7mDYqkhiAdPRRMw6CwJCM pyUoiNd7f+E8XX2Y04yMXvxB1wssLwzFjZbIn7+0O/v5wu558Y5giADUrJh97xsmCMocrWXnZHc vyY7vGZReJ01xFsAatr/a9oczbkUgAyiiFutrO5wQ9FqH/yJJICok7gD1GbUwR7sBAsBj6b9Z9R 4eGkYjpsJpLzYOadnPXMW7b1mJeQGips/wu/DwYK+D X-Google-Smtp-Source: AGHT+IEonIG05F5DKSlGvsdxry2o3lDIvp64kc0KQCKQP426xBVLSkzprliwVJhouRXPMmn82VZfFXFAFJyg X-Received: from plkh11.prod.google.com ([2002:a17:903:19eb:b0:298:465f:129]) (user=navidem job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:2341:b0:295:1a63:57b0 with SMTP id d9443c01a7336-29baafca153mr90234845ad.23.1764202373663; Wed, 26 Nov 2025 16:12:53 -0800 (PST) Date: Thu, 27 Nov 2025 00:12:43 +0000 In-Reply-To: <20251127001247.1672873-1-navidem@google.com> Mime-Version: 1.0 References: <20251127001247.1672873-1-navidem@google.com> X-Mailer: git-send-email 2.52.0.158.g65b55ccf14-goog Message-ID: <20251127001247.1672873-2-navidem@google.com> Subject: [PATCH v2 1/5] libqos: pci: Handle zero-sized BARs gracefully From: Navid Emamdoost To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com, zsm@google.com, alxndr@bu.edu, Navid Emamdoost Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::649; envelope-from=3hZcnaQcKCqIPCXKFGOIQQING.EQOSGOW-FGXGNPQPIPW.QTI@flex--navidem.bounces.google.com; helo=mail-pl1-x649.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1764202453823019200 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The qpci_iomap() function would previously fail with a fatal assertion if it probed a PCI BAR that had a size of zero. This is, however, expected behavior for some devices like the Q35 host bridge, and the assertion blocked the creation of new fuzzing targets. Instead of asserting at map time, modify the QPCIBar struct to store the BAR's size. Defer the safety check to the accessor functions (qpci_io_readb, qpci_memread, etc.), which now assert that any access is within the BAR's bounds. Signed-off-by: Navid Emamdoost navidem@google.com --- tests/qtest/libqos/pci.c | 25 ++++++++++++++++++++++++- tests/qtest/libqos/pci.h | 1 + 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/tests/qtest/libqos/pci.c b/tests/qtest/libqos/pci.c index a59197b992..70caf382cc 100644 --- a/tests/qtest/libqos/pci.c +++ b/tests/qtest/libqos/pci.c @@ -396,6 +396,7 @@ void qpci_config_writel(QPCIDevice *dev, uint8_t offset= , uint32_t value) =20 uint8_t qpci_io_readb(QPCIDevice *dev, QPCIBar token, uint64_t off) { + g_assert(off + 1 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -410,6 +411,7 @@ uint8_t qpci_io_readb(QPCIDevice *dev, QPCIBar token, u= int64_t off) =20 uint16_t qpci_io_readw(QPCIDevice *dev, QPCIBar token, uint64_t off) { + g_assert(off + 2 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -424,6 +426,7 @@ uint16_t qpci_io_readw(QPCIDevice *dev, QPCIBar token, = uint64_t off) =20 uint32_t qpci_io_readl(QPCIDevice *dev, QPCIBar token, uint64_t off) { + g_assert(off + 4 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -438,6 +441,7 @@ uint32_t qpci_io_readl(QPCIDevice *dev, QPCIBar token, = uint64_t off) =20 uint64_t qpci_io_readq(QPCIDevice *dev, QPCIBar token, uint64_t off) { + g_assert(off + 8 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -453,6 +457,7 @@ uint64_t qpci_io_readq(QPCIDevice *dev, QPCIBar token, = uint64_t off) void qpci_io_writeb(QPCIDevice *dev, QPCIBar token, uint64_t off, uint8_t value) { + g_assert(off + 1 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -465,6 +470,7 @@ void qpci_io_writeb(QPCIDevice *dev, QPCIBar token, uin= t64_t off, void qpci_io_writew(QPCIDevice *dev, QPCIBar token, uint64_t off, uint16_t value) { + g_assert(off + 2 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -478,6 +484,7 @@ void qpci_io_writew(QPCIDevice *dev, QPCIBar token, uin= t64_t off, void qpci_io_writel(QPCIDevice *dev, QPCIBar token, uint64_t off, uint32_t value) { + g_assert(off + 4 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -491,6 +498,7 @@ void qpci_io_writel(QPCIDevice *dev, QPCIBar token, uin= t64_t off, void qpci_io_writeq(QPCIDevice *dev, QPCIBar token, uint64_t off, uint64_t value) { + g_assert(off + 8 <=3D token.size); QPCIBus *bus =3D dev->bus; =20 if (token.is_io) { @@ -500,10 +508,10 @@ void qpci_io_writeq(QPCIDevice *dev, QPCIBar token, u= int64_t off, bus->memwrite(bus, token.addr + off, &value, sizeof(value)); } } - void qpci_memread(QPCIDevice *dev, QPCIBar token, uint64_t off, void *buf, size_t len) { + g_assert(off + len <=3D token.size); g_assert(!token.is_io); dev->bus->memread(dev->bus, token.addr + off, buf, len); } @@ -511,6 +519,7 @@ void qpci_memread(QPCIDevice *dev, QPCIBar token, uint6= 4_t off, void qpci_memwrite(QPCIDevice *dev, QPCIBar token, uint64_t off, const void *buf, size_t len) { + g_assert(off + len <=3D token.size); g_assert(!token.is_io); dev->bus->memwrite(dev->bus, token.addr + off, buf, len); } @@ -541,6 +550,19 @@ QPCIBar qpci_iomap(QPCIDevice *dev, int barno, uint64_= t *sizeptr) addr &=3D PCI_BASE_ADDRESS_MEM_MASK; } =20 + if (!addr){ + /* + * This is an unimplemented BAR. It is not a fatal error. + * We model it as a BAR with a size of zero. Any attempt to + * access it will be caught by assertions in the accessors. + */ + if (sizeptr) { + *sizeptr =3D 0; + } + memset(&bar, 0, sizeof(bar)); + return bar; + } + g_assert(addr); /* Must have *some* size bits */ =20 size =3D 1U << ctz32(addr); @@ -572,6 +594,7 @@ QPCIBar qpci_iomap(QPCIDevice *dev, int barno, uint64_t= *sizeptr) } =20 bar.addr =3D loc; + bar.size =3D size; return bar; } =20 diff --git a/tests/qtest/libqos/pci.h b/tests/qtest/libqos/pci.h index 8389614523..e790e5293d 100644 --- a/tests/qtest/libqos/pci.h +++ b/tests/qtest/libqos/pci.h @@ -58,6 +58,7 @@ struct QPCIBus { =20 struct QPCIBar { uint64_t addr; + uint64_t size; bool is_io; }; =20 --=20 2.52.0.158.g65b55ccf14-goog From nobody Sat Nov 29 10:17:27 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1764202435; cv=none; d=zohomail.com; s=zohoarc; b=L9Egsmcmv90TSaP8yRyxXXS/Bc9NUHiH2lhFnL06PyUqVVncsuR2ythrFGFBdHiAdOPAPU6laVUd+cgyWIvnVPGbF+8tsvN0LitAR9Z97cR2xtXAKnbK3Y9+aO3unW0QTDp1l6q9ZvK177PwDBvrfes3ATgAqLIK3xpnUUS9saA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764202435; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=0j7T4SaSBzhQATVQOHGTTTyyPAyiP7oXEQJJ+/D5CCo=; b=IpMfJb2iTQom+xnuYvs5dOpAsd8PQaax/PvjzMgSCHHYNcOeuIeT0A68uIr+3J9yXFB/15mVJsWFBsVKqBT0x+CKu/uHvX4eX7Toqh9if/49CTb+XlbRKwMwE4Q03M1ppGsQLrANMs6eJj1MQbaZRy/UBKrv/2jiXZcBBgzd62s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1764202435155107.7882675857029; Wed, 26 Nov 2025 16:13:55 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vOPd8-0002mk-MI; Wed, 26 Nov 2025 19:13:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3iJcnaQcKCqUSFaNIJRLTTLQJ.HTRVJRZ-IJaJQSTSLSZ.TWL@flex--navidem.bounces.google.com>) id 1vOPd6-0002lY-Lt for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:00 -0500 Received: from mail-pf1-x449.google.com ([2607:f8b0:4864:20::449]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3iJcnaQcKCqUSFaNIJRLTTLQJ.HTRVJRZ-IJaJQSTSLSZ.TWL@flex--navidem.bounces.google.com>) id 1vOPd5-0005z6-3Q for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:00 -0500 Received: by mail-pf1-x449.google.com with SMTP id d2e1a72fcca58-7be94e1a073so436768b3a.2 for ; Wed, 26 Nov 2025 16:12:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764202377; x=1764807177; darn=nongnu.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=0j7T4SaSBzhQATVQOHGTTTyyPAyiP7oXEQJJ+/D5CCo=; b=WJ8GrQQkLDDfRfI4KbzV4h7IP0o4TgjIzI637Ao4wNnqPz4AEJwY/PtcsRG8GdZ3Ai P5QZuapU5Lu0Esy4Wze43sV2A3R8Xe2bzBrgwWQiGUdbO/7XiyNMyfSSUzgWAVYXEKPI x0JHeqzmGsYvnntIxe2V2AY6SKEACDcN52M1XF+wHMdOygDP2kB9yseqlsp5iBVxb+xr x7KkPEorHUi89+iNV0rpExNpCIS0LsQjTrv2c/wtCG/XWQwlODks6V9HWBvFZ4utGzaF cziNCx0U8V9QaMi18QjaS5GWKCm2kjQYk+Gcam0mrAnuJ0QXHQQ0nF6AR3FxoS4cZ7wa 7rRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764202377; x=1764807177; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0j7T4SaSBzhQATVQOHGTTTyyPAyiP7oXEQJJ+/D5CCo=; b=GalYRMSAOYe9pLXx4imwtzze/Hp+wcXYL+S4zs74uPAqeiplLevtxReu7ts/am7l/A 8+dX89o8spGZPe9kC1dcBXjG30uMN+uvpTbbTYS5V40+BWm5JBNFlDAFUgUUkDtMn/3I NOywPs5OzALPYDpLsvWRsQAHjrJVQqJ0GwJI6/myAld1h+xzzOveyPRyoIqLUsoEtcfu YLAgZyk0YemSvXDzNPqCz1UhAdN091wSgvjsSTPJVX+xNXTSNPDYN8osgDGBilIlqKdS AbX3p5Z3LXhvP019/nR+zoViHX8y7FvOJcmsln+o38svWr1Uy4cgJsuXS1zW7NVAK3JA OrKQ== X-Gm-Message-State: AOJu0YxcjnbkO9BhhSqyMztOZI74ah5KowtDPcZO2w3+ZqascbMWyT1/ fA3BqHFqH/o8lTPNmE0nDRd2s6pDFw/LMGqBGp0d+jf2qZIuUwHdSatvRQMzLW3XwhOtSN+/tnQ NJiuuL6lcyMObO6d4plSIxjg3fCEIN8n13jLtT4XV339aXyg8ZONZ4isClX3Zj5/D7UCu4EAm0W ACWn0DtndVtvUHSbaQTflwgZ5Y20akLBtygZ0rBp7f X-Google-Smtp-Source: AGHT+IG6mr3eIXbPb19wwOkBKn8D1Bl1SdV0RWx0bvYMnE/tJ6s3bT6pJ4RE4gSC7IjbIAfCkKwwrwIX4kOE X-Received: from pgzz7.prod.google.com ([2002:a63:3307:0:b0:b62:df8e:e831]) (user=navidem job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:6a0e:b0:334:a523:abec with SMTP id adf61e73a8af0-3614ee01766mr20813467637.60.1764202376217; Wed, 26 Nov 2025 16:12:56 -0800 (PST) Date: Thu, 27 Nov 2025 00:12:44 +0000 In-Reply-To: <20251127001247.1672873-1-navidem@google.com> Mime-Version: 1.0 References: <20251127001247.1672873-1-navidem@google.com> X-Mailer: git-send-email 2.52.0.158.g65b55ccf14-goog Message-ID: <20251127001247.1672873-3-navidem@google.com> Subject: [PATCH v2 2/5] libqos: pci: Require size for legacy I/O port mapping From: Navid Emamdoost To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com, zsm@google.com, alxndr@bu.edu, Navid Emamdoost , John Snow , "open list:IDE" Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::449; envelope-from=3iJcnaQcKCqUSFaNIJRLTTLQJ.HTRVJRZ-IJaJQSTSLSZ.TWL@flex--navidem.bounces.google.com; helo=mail-pf1-x449.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1764202435858019200 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The accessor functions for QPCIBar (qpci_io_readb, etc.) perform strict bounds checking to ensure memory safety. However, the qpci_legacy_iomap function created QPCIBar tokens for legacy I/O ports without an associated size, making this safety check impossible. To fix this, modify the signature of qpci_legacy_iomap to require the caller to explicitly provide the size of the legacy I/O region. Update all existing callers of this function, including the IDE (ide-test.c) and TCO watchdog (tco-test.c) test suites, to provide the correct, known sizes for the hardware they are testing. This not only fixes the test failures but also makes the tests more robust and explicit about the I/O regions they interact with. Signed-off-by: Navid Emamdoost --- tests/qtest/ide-test.c | 2 +- tests/qtest/libqos/pci.c | 4 ++-- tests/qtest/libqos/pci.h | 2 +- tests/qtest/tco-test.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/qtest/ide-test.c b/tests/qtest/ide-test.c index ceee444a9e..524458e9f6 100644 --- a/tests/qtest/ide-test.c +++ b/tests/qtest/ide-test.c @@ -173,7 +173,7 @@ static QPCIDevice *get_pci_device(QTestState *qts, QPCI= Bar *bmdma_bar, /* Map bmdma BAR */ *bmdma_bar =3D qpci_iomap(dev, 4, NULL); =20 - *ide_bar =3D qpci_legacy_iomap(dev, IDE_BASE); + *ide_bar =3D qpci_legacy_iomap(dev, IDE_BASE, 8); =20 qpci_device_enable(dev); =20 diff --git a/tests/qtest/libqos/pci.c b/tests/qtest/libqos/pci.c index 70caf382cc..f07fc9140e 100644 --- a/tests/qtest/libqos/pci.c +++ b/tests/qtest/libqos/pci.c @@ -603,9 +603,9 @@ void qpci_iounmap(QPCIDevice *dev, QPCIBar bar) /* FIXME */ } =20 -QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr) +QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr, uint64_t size) { - QPCIBar bar =3D { .addr =3D addr, .is_io =3D true }; + QPCIBar bar =3D { .addr =3D addr, .size =3D size, .is_io =3D true }; return bar; } =20 diff --git a/tests/qtest/libqos/pci.h b/tests/qtest/libqos/pci.h index e790e5293d..6e8e0fbff6 100644 --- a/tests/qtest/libqos/pci.h +++ b/tests/qtest/libqos/pci.h @@ -123,7 +123,7 @@ void qpci_memwrite(QPCIDevice *bus, QPCIBar token, uint= 64_t off, const void *buf, size_t len); QPCIBar qpci_iomap(QPCIDevice *dev, int barno, uint64_t *sizeptr); void qpci_iounmap(QPCIDevice *dev, QPCIBar addr); -QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr); +QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr, uint64_t size); =20 void qpci_unplug_acpi_device_test(QTestState *qs, const char *id, uint8_t = slot); =20 diff --git a/tests/qtest/tco-test.c b/tests/qtest/tco-test.c index 20ccefabcb..3af7c14e73 100644 --- a/tests/qtest/tco-test.c +++ b/tests/qtest/tco-test.c @@ -77,7 +77,7 @@ static void test_init(TestData *d) /* set Root Complex BAR */ qpci_config_writel(d->dev, ICH9_LPC_RCBA, RCBA_BASE_ADDR | 0x1); =20 - d->tco_io_bar =3D qpci_legacy_iomap(d->dev, PM_IO_BASE_ADDR + 0x60); + d->tco_io_bar =3D qpci_legacy_iomap(d->dev, PM_IO_BASE_ADDR + 0x60, 32= ); d->qts =3D qs; } =20 --=20 2.52.0.158.g65b55ccf14-goog From nobody Sat Nov 29 10:17:27 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1764202461; cv=none; d=zohomail.com; s=zohoarc; b=FbTKFKCdPa0j2asbNMNdcXfCOMh7YE6TomOyiaB1KdbrD8/uiEXlaEtAK7LNf5/y9tq+W5nxtEOegezgLOIxqfHpr/4ZGa/36v+ZrasX+quvN6DXV3zpF084GUN4IWvECEC6tel7yCMjJ9/9RSP6YRhpN5usHwNLhHf12GK48ZY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764202461; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Qogo5XeCyONqmCex4kreHDGd7JJBizCMCbTlMRm4Tt4=; b=BqsAuPfqhp5I2T7N4RPZ9AniLubJhCFBMySFZqOOVv/GMGyCY0uqWiW4pzE/7zzuJ9aHHuksEAVXYcbCYNQwJi6LA0q8kqiq5zPcf4Hg9w1Du2GAY5OXeriwq2yh9Rn+uJF51V32k4Ko900dTRgP/aXsJrBDhxQQ7tyzzUJNfNU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1764202461033736.1655112278646; Wed, 26 Nov 2025 16:14:21 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vOPdA-0002nP-Dx; Wed, 26 Nov 2025 19:13:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3ipcnaQcKCqcUHcPKLTNVVNSL.JVTXLTb-KLcLSUVUNUb.VYN@flex--navidem.bounces.google.com>) id 1vOPd8-0002mf-Dj for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:02 -0500 Received: from mail-pj1-x104a.google.com ([2607:f8b0:4864:20::104a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3ipcnaQcKCqcUHcPKLTNVVNSL.JVTXLTb-KLcLSUVUNUb.VYN@flex--navidem.bounces.google.com>) id 1vOPd6-0005zQ-Tc for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:02 -0500 Received: by mail-pj1-x104a.google.com with SMTP id 98e67ed59e1d1-343823be748so238166a91.0 for ; Wed, 26 Nov 2025 16:13:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764202379; x=1764807179; darn=nongnu.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Qogo5XeCyONqmCex4kreHDGd7JJBizCMCbTlMRm4Tt4=; b=GmF5UXyQGr+eyeRd4gZBnbApoM9qsZvH+/WAJD3N9UKMTxLEnpyHhaL89U2PFV3k/6 CSIXd7GQWfB/Wzh8xsVEfO0o3ub+4qNigxWylp6fPfAvvJmC5u/qF+E2aW+yiB9dnoNT MwQXuUGOcHUx1xpOd5HYNRxjrILHQRXuv2bkpGEZupL++Ysygblpydli2i30SDC3MuEV P6EnjI/RQaeff2jmbPupT7LkEYXwqYRHbsZbs7hwDX6mtNw+inKNnzRrKI3jE3TttGxT np6QRZONs+wl2YJf9M79lB4XwcSiIiaoR0Fp9ctuuGMom1CDeXDl4e2aZ70yuZrBwlb2 0IbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764202379; x=1764807179; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Qogo5XeCyONqmCex4kreHDGd7JJBizCMCbTlMRm4Tt4=; b=xBDDw+LizklY73THer2Qn8BRYoEGGosp3CIbLGqPmqGlqUjAQtp+81H1QdsNdJd6uT ysdCZeC78+u+Yb/B864n4niUlqkGmNdY7cVb/kQp8ocUSBW7cGptJp6fgr5lOmT/3Kkq NVNoaHX5vOpNS/5ihsOGRDEYtKhVUvC2VyAcDYTEJPdILEE3r5taD/QQjCSasE2N965y G/3V63eqW7reoUOUnd3I6sRkdsvIZ4ywAnqmewDm3C5iv7ZjQP6imKI3uGv6RMnpV0q/ tt7nVw8dIxnZPBAtMGWg8ZtNz6sUeiSUyptbnP3KOoWOdVDF6UV/NP5kDkA5I6aS1M9f pORQ== X-Gm-Message-State: AOJu0YwLcRpjsUrNK4gD08a2/78aPnTOHOS92zrD6wQmojsQufCY0COC gCRQLpCcRoKhn03Ya0I8gustMSsd8a7J1zPd5/ufUyOqLIemLW+8gBEQWV1/KUr76xOwn3LK+Yo o++0ftpHScWM0L6sb4jyw5KP1ADi6APd9QzjMZ5U+5l2cjSrcrTYc2sGgUDTjZEMND9QzC35f+Y sJKFrFGCOrAy64zFitfk/IU1RCJ/27Cl6lgHuOVT0u X-Google-Smtp-Source: AGHT+IG7BttCfwkZnLZRj5hNQkC6oUAMELQk7TcVFb45kIvnBHNlYnvtCxBYFNPPvmC9SBhg9wowIcKYLgZk X-Received: from pjbsh16.prod.google.com ([2002:a17:90b:5250:b0:33b:b0fe:e54d]) (user=navidem job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3a4e:b0:341:2150:4856 with SMTP id 98e67ed59e1d1-3475ed50953mr9253879a91.17.1764202378738; Wed, 26 Nov 2025 16:12:58 -0800 (PST) Date: Thu, 27 Nov 2025 00:12:45 +0000 In-Reply-To: <20251127001247.1672873-1-navidem@google.com> Mime-Version: 1.0 References: <20251127001247.1672873-1-navidem@google.com> X-Mailer: git-send-email 2.52.0.158.g65b55ccf14-goog Message-ID: <20251127001247.1672873-4-navidem@google.com> Subject: [PATCH v2 3/5] tests/qtest: ahci-test: Check only implemented ports in verify_state From: Navid Emamdoost To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com, zsm@google.com, alxndr@bu.edu, Navid Emamdoost , John Snow , "open list:IDE" Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::104a; envelope-from=3ipcnaQcKCqcUHcPKLTNVVNSL.JVTXLTb-KLcLSUVUNUb.VYN@flex--navidem.bounces.google.com; helo=mail-pj1-x104a.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1764202462124019200 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The verify_state helper function in ahci-test.c incorrectly assumed that all 32 potential AHCI ports were implemented. During post- migration checks, it would loop through all 32 ports, attempting to read registers for non-existent ones. This resulted in an out-of-bounds access on the main HBA BAR. This latent bug was exposed by the recent introduction of strict bounds checking in the libqos PCI accessors, which now correctly triggers a fatal assertion. Fix this by modifying the loop in verify_state to first read the AHCI_PI (Ports Implemented) register and then only check the state for ports that the device reports as present. Signed-off-by: Navid Emamdoost Reviewed-by: Peter Maydell --- tests/qtest/ahci-test.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/qtest/ahci-test.c b/tests/qtest/ahci-test.c index e8aabfc13f..06c5bd08d8 100644 --- a/tests/qtest/ahci-test.c +++ b/tests/qtest/ahci-test.c @@ -81,6 +81,7 @@ static void string_bswap16(uint16_t *s, size_t bytes) static void verify_state(AHCIQState *ahci, uint64_t hba_old) { int i, j; + uint32_t ports_impl; uint32_t ahci_fingerprint; uint64_t hba_base; AHCICommandHeader cmd; @@ -99,7 +100,14 @@ static void verify_state(AHCIQState *ahci, uint64_t hba= _old) g_assert_cmphex(ahci_rreg(ahci, AHCI_CAP), =3D=3D, ahci->cap); g_assert_cmphex(ahci_rreg(ahci, AHCI_CAP2), =3D=3D, ahci->cap2); =20 + ports_impl =3D ahci_rreg(ahci, AHCI_PI); + for (i =3D 0; i < 32; i++) { + + if (!(ports_impl & (1 << i))) { + continue; /* Skip unimplemented ports */ + } + g_assert_cmphex(ahci_px_rreg(ahci, i, AHCI_PX_FB), =3D=3D, ahci->port[i].fb); g_assert_cmphex(ahci_px_rreg(ahci, i, AHCI_PX_CLB), =3D=3D, --=20 2.52.0.158.g65b55ccf14-goog From nobody Sat Nov 29 10:17:27 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1764202449; cv=none; d=zohomail.com; s=zohoarc; b=KQkp9kOwz2OVUMHlhRiFelOtpNKNCm2vC8K/y4FqMYtNDQzXg2cEoVztVZnzdfup0JlhtsLrg574AFGGIkxvdOd1CIVIHBInewDxNc6Kz49qZ6lDo0d/gDucf1L0ENrJBeMmvRVSlsYP7cSHdkoIhO1sucYSY7E28mD6wTiNLv0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764202449; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=t/chO5DIn5GA4cXM3oxbQXVijgyx+nIIIuznv+j80gs=; b=MlmuT4eEYEQc1hgriQx/6FDtT8qPawc2dDia50umt7Ms95jrTupdb17Sx8kBdjmI6DUZv1tU/hEyOUpLYPGNQNStXdwDH6W8j/A16NN1LP5Obieoe7C7BD/Amv4HvVWz+gGEqdLexvoouMyr/fwYN1lWkUHKInL/km9HkemGrhQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17642024498299.77916091477266; Wed, 26 Nov 2025 16:14:09 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vOPdC-0002oL-Cu; Wed, 26 Nov 2025 19:13:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3jZcnaQcKCqoXKfSNOWQYYQVO.MYWaOWe-NOfOVXYXQXe.YbQ@flex--navidem.bounces.google.com>) id 1vOPdB-0002nh-4I for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:05 -0500 Received: from mail-pj1-x1049.google.com ([2607:f8b0:4864:20::1049]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3jZcnaQcKCqoXKfSNOWQYYQVO.MYWaOWe-NOfOVXYXQXe.YbQ@flex--navidem.bounces.google.com>) id 1vOPd9-0005zk-Ez for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:04 -0500 Received: by mail-pj1-x1049.google.com with SMTP id 98e67ed59e1d1-3436e9e3569so443995a91.2 for ; Wed, 26 Nov 2025 16:13:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764202381; x=1764807181; darn=nongnu.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=t/chO5DIn5GA4cXM3oxbQXVijgyx+nIIIuznv+j80gs=; b=bVnVgjAjbu+PUK/JmAOaZwsLkNdM5iRYMpfJyU3ho0BUQWygR1OyaKo/tk/7b9pP4P NoEbiaLa6zswS20Zh666w9A/jR/R3W88jsWtJNdRXeLxNSA8uh1LiM339SUnilfYhmNy E31X2tQ6yFrGS9X0KrGyVR5MnZUY1CeDxtQFUv6DM1s8Zj5bdKwnJcXBFdNRX1CoPLX+ 6mbHoVCvWSUeMznJJAkYuSEiVPPVK5Q59mfDGuUGxb5NhqGJ64ImIQcTE2+klxweumPy 1CRCctuWi0C4p4LDyRI+6hUF+kFa9F7yrB9YasXmVOABhNN6Bn5RmenWkaVj49ngW/Jb itaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764202381; x=1764807181; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=t/chO5DIn5GA4cXM3oxbQXVijgyx+nIIIuznv+j80gs=; b=cURY8qc31fEwobwar+8YLvAi7SQfnmFvF/9pyEnaJ758hu3RvQ7MAh2oL2G0I2Eewn MvzahXIzBhYyB0qtKkBK63oN2apaR6vQftWmq6ptBTvJaMULSa3gxzElfFBobvY4JqMJ 8xwzmn9kbwEBSCHgrO0Zcafj42aAdA60xnsnnPwHD72KMlY5x5nbFaeXfJ05MuyzUKEv +RoBLfyCahfHFKiY0Gp7PubanH4sGgpCcvPVa9Jhx/FKfS+Q+0MJFwLDACjSC8TdjxO1 SA5R/c9PIgwzDiQYgOhcWIqpqgVBg5egiFScvIypQWP6vPo7X9JaM1ikTUHaUsklskGA clmA== X-Gm-Message-State: AOJu0Yw12S6+TxF4xC0JpP/vNKFP7jpp8dHzwA2+yQ4/eWPraOx/DiHA Z4y1b2jVGLG9vxDo2Qf5mTA8MU1GCB68Yg0SLuOa6JTGSCordCXIG0ZuVpirN0WqijDXIDeNZYH Un0DXnQpSVZPkWblmXxwjjzdk4RZo9PQX2QYm33bV1uVojqKIkN+22gu+/r1jHvhWfsNVewzsb/ kQYWtT74SGmxQ4TEJL170S9Bi0zXF00ut2cceJW54Y X-Google-Smtp-Source: AGHT+IHFYvdFPgvnpDgrBCUMlc3yuFEr63+8tYPJmpKk2arlAYdMtaTqkkZ+6ZNBnuAlH3+w61ryzkOEZH1Z X-Received: from pggr17.prod.google.com ([2002:a63:d911:0:b0:bc5:4dbd:5a2b]) (user=navidem job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:7485:b0:361:4b9d:b9a8 with SMTP id adf61e73a8af0-3614eb8c1aemr24791493637.20.1764202381179; Wed, 26 Nov 2025 16:13:01 -0800 (PST) Date: Thu, 27 Nov 2025 00:12:46 +0000 In-Reply-To: <20251127001247.1672873-1-navidem@google.com> Mime-Version: 1.0 References: <20251127001247.1672873-1-navidem@google.com> X-Mailer: git-send-email 2.52.0.158.g65b55ccf14-goog Message-ID: <20251127001247.1672873-5-navidem@google.com> Subject: [PATCH v2 4/5] tests/qtest: Rework nvmetest_oob_cmb_test for BAR check From: Navid Emamdoost To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com, zsm@google.com, alxndr@bu.edu, Navid Emamdoost , Keith Busch , Klaus Jensen , Jesper Devantier , "open list:nvme" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::1049; envelope-from=3jZcnaQcKCqoXKfSNOWQYYQVO.MYWaOWe-NOfOVXYXQXe.YbQ@flex--navidem.bounces.google.com; helo=mail-pj1-x1049.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1764202452072019200 Content-Type: text/plain; charset="utf-8" The nvmetest_oob_cmb_test was designed to deliberately perform an out-of-bounds write on a PCI BAR. This was intended as a regression test for CVE-2018-16847. The recent change to libqos introduced strict bounds checking on all BAR accessors, which correctly caused this test to fail with a fatal assertion, as it was performing an illegal memory access. This change reworks the test to honor its original intent=E2=80=94verifying safe accesses at the BAR boundary=E2=80=94without violating the new API con= tract. Instead of attempting an illegal write, the test now performs several valid read/write operations at the very end of the BAR (at offsets size - 1, size - 2, and size - 4) to confirm the entire region is accessible. This makes the test compatible with the safer libqos API while still serving as a regression test for the original issue. Signed-off-by: Navid Emamdoost --- tests/qtest/nvme-test.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/tests/qtest/nvme-test.c b/tests/qtest/nvme-test.c index 5ad6821f7a..8be37ae043 100644 --- a/tests/qtest/nvme-test.c +++ b/tests/qtest/nvme-test.c @@ -48,23 +48,37 @@ static void *nvme_create(void *pci_bus, QGuestAllocator= *alloc, void *addr) /* This used to cause a NULL pointer dereference. */ static void nvmetest_oob_cmb_test(void *obj, void *data, QGuestAllocator *= alloc) { - const int cmb_bar_size =3D 2 * MiB; QNvme *nvme =3D obj; QPCIDevice *pdev =3D &nvme->dev; QPCIBar bar; + const uint64_t expected_cmb_size =3D 2 * MiB; =20 + /* Enable the device's I/O and memory resources at the PCI level. */ qpci_device_enable(pdev); + + /* Map BAR 2, which is the dedicated BAR for the Controller Memory Buf= fer. */ bar =3D qpci_iomap(pdev, 2, NULL); =20 - qpci_io_writel(pdev, bar, 0, 0xccbbaa99); - g_assert_cmpint(qpci_io_readb(pdev, bar, 0), =3D=3D, 0x99); - g_assert_cmpint(qpci_io_readw(pdev, bar, 0), =3D=3D, 0xaa99); + /* Sanity check that the probed BAR size matches the command line. */ + g_assert_cmpint(bar.size, =3D=3D, expected_cmb_size); + + /* + * Perform read/write checks at the very end of the BAR to ensure + * that the entire region is accessible and that boundary accesses of + * different sizes are handled correctly. + */ + + /* Test the last valid byte (the fix for the CVE was about 1-byte acce= ss) */ + qpci_io_writeb(pdev, bar, bar.size - 1, 0x11); + g_assert_cmpint(qpci_io_readb(pdev, bar, bar.size - 1), =3D=3D, 0x11); + + /* Test the last valid word */ + qpci_io_writew(pdev, bar, bar.size - 2, 0x2233); + g_assert_cmpint(qpci_io_readw(pdev, bar, bar.size - 2), =3D=3D, 0x2233= ); =20 - /* Test partially out-of-bounds accesses. */ - qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211); - g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), =3D=3D, 0x= 11); - g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=3D, 0x22= 11); - g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=3D, 0x44= 332211); + /* Test the last valid dword */ + qpci_io_writel(pdev, bar, bar.size - 4, 0x44556677); + g_assert_cmpint(qpci_io_readl(pdev, bar, bar.size - 4), =3D=3D, 0x4455= 6677); } =20 static void nvmetest_reg_read_test(void *obj, void *data, QGuestAllocator = *alloc) --=20 2.52.0.158.g65b55ccf14-goog From nobody Sat Nov 29 10:17:27 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1764202433; cv=none; d=zohomail.com; s=zohoarc; b=F7afmL+iI3oub/4Qs+9W8UxkKPOcyrSiklVh5tXEcBHKY2Qq365a5U4u0Ek39O41vbYxxauqySlhTY+mqIddXHVnoW7X6Zu77FnYaogSfqSr+L9Hjl+wLzaCdT6WRgvhZnbD0hYFmmCrTdiIWiHd2cSkGRaCWC0uZbjtpDl5Tv0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764202433; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=LnAzc27LiQK6IQy24x9xB/i64MPHYZS7/qEEHPh3edU=; b=YmtC5tc9012va8OMcMH+Z5i4kXpFM6YjqeBOLDPvBr58Udu3hIP8HYA1HYADmk6vfvSyXRgHLz+VT0Ud7h5nvZdxFZL2bBOyR4N3b/y1/6vbIe+1PX22/AtM0rCUnh+KFlwkZpIt3qhBbpTOC6WGuucYXEVTmMGDU/ZJpsQrMO8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1764202433570425.5804541724608; Wed, 26 Nov 2025 16:13:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vOPdF-0002pb-8Q; Wed, 26 Nov 2025 19:13:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3j5cnaQcKCqwZMhUPQYSaaSXQ.OaYcQYg-PQhQXZaZSZg.adS@flex--navidem.bounces.google.com>) id 1vOPdD-0002p7-K9 for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:07 -0500 Received: from mail-pl1-x649.google.com ([2607:f8b0:4864:20::649]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3j5cnaQcKCqwZMhUPQYSaaSXQ.OaYcQYg-PQhQXZaZSZg.adS@flex--navidem.bounces.google.com>) id 1vOPdC-000603-5j for qemu-devel@nongnu.org; Wed, 26 Nov 2025 19:13:07 -0500 Received: by mail-pl1-x649.google.com with SMTP id d9443c01a7336-295952a4dd6so15220695ad.1 for ; Wed, 26 Nov 2025 16:13:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764202384; x=1764807184; darn=nongnu.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=LnAzc27LiQK6IQy24x9xB/i64MPHYZS7/qEEHPh3edU=; b=L/zProrqlU19m4I8RnkBhqPEPHHRg37iI/A+Wz9BDv9NyqouvGG0lbAj0lN9Y7GhEd UurWry5PENrrqrzu5xOf2T11zoncMo2DVhjVJiCSIZnhWamA09NJRQEQdWoCsoNefJ5r 46eYKEmiddrhvYkNbL5Mgh+TDqnL37+1NCVr0LosxgFk3b7cMnVy4vYCrz9nWoQ9yk3F Y+H6jCKfMLVCBw69C31S7EfP6WPb46hjTJPGScWKu0WRziigqtwEuwf+j+V80CT4BvSh uzrIJDvLQuoKDDWFrB45cHOoptcACyJvxZe3KB+25vNLGTqo3FMduljhzSXCRw/t6A01 uHXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764202384; x=1764807184; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LnAzc27LiQK6IQy24x9xB/i64MPHYZS7/qEEHPh3edU=; b=wiS57moinfG0EGBzA/DiNlBNi/eMcT0YKZH5NXFcAPXGFVMSYvfuyw7KxB1EWuTOBj /h1yIT65q+wNQQtxxbrAcDQwSo7iqhjB/LXLPSAFDaDmr93QWRU7atB5Ew1EgeWMS0Ua MOzOqbelIDFZX9CeFPYocaPrs5BMDE/YKDZbkoRWqS2eOXbvg66saI2mcRpLbGdswnmf 86GD90w0rMnSRajH+O4YgL0B0hct1GG/WM+IFvKe2Jw/hS9Sp0PJK/QZ7cswCoJPJ9R9 RSpcTqxvmnPx1QJMtbbN6M9sFKuMmJA4JQ4rnxKOh6L2WJwqG1HGqa90gmr16diBpxZP BCXw== X-Gm-Message-State: AOJu0YwJZfhS7FzuBDHAM4rSG9gsjSTiKoJ/YsQSkttMkkvAkOJwTOZW ZR9J0ZPkQopSTsMROidfFUUJ8PUP15bezkBUTcECHHjHT9z4Rb5jvHpOoeZkMTp9SbI2MFjQtCe 8KwsHlTAGTtGNuk4HN1Ka1N35EX/+CNVCdKQwLXoAXjNlmadUdXlgNsdDgj6Br1jr0AuGo7ftbv CgTSvJed7JgGJJOr0sza6JHZf8SoB810/XhCo+tl47 X-Google-Smtp-Source: AGHT+IFm+oWf3dffHZsfWphXzUQs2N2I4E5TDGLT2J5JnQVFZuawANcaOzo3brKAWVtpTTEceEwW2+bCMhGY X-Received: from pjnm17.prod.google.com ([2002:a17:90a:8591:b0:340:a5c6:acc3]) (user=navidem job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:fc48:b0:297:e897:6f6d with SMTP id d9443c01a7336-29b5e2f794amr274934625ad.9.1764202383896; Wed, 26 Nov 2025 16:13:03 -0800 (PST) Date: Thu, 27 Nov 2025 00:12:47 +0000 In-Reply-To: <20251127001247.1672873-1-navidem@google.com> Mime-Version: 1.0 References: <20251127001247.1672873-1-navidem@google.com> X-Mailer: git-send-email 2.52.0.158.g65b55ccf14-goog Message-ID: <20251127001247.1672873-6-navidem@google.com> Subject: [PATCH v2 5/5] tests/qtest/fuzz: Add generic fuzzer for pcie-pci-bridge From: Navid Emamdoost To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com, zsm@google.com, alxndr@bu.edu, Navid Emamdoost , Bandan Das , Stefan Hajnoczi , Darren Kenny , Qiuhao Li Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::649; envelope-from=3j5cnaQcKCqwZMhUPQYSaaSXQ.OaYcQYg-PQhQXZaZSZg.adS@flex--navidem.bounces.google.com; helo=mail-pl1-x649.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1764202435911019200 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a new generic fuzz target for the 'pcie-pci-bridge' device. This target uses a Q35 machine with a multi-level PCI hierarchy to exercise the bridge's functionality. This is made possible by the preceding change to handle unimplemented BARs during fuzzing. --- This new target significantly improves code coverage for the pcie-pci-bridge implementation. The baseline coverage shown below was generated by running all existing fuzz targets with the oss-fuzz corpus. =3D=3D=3D Component: hw/pci =3D=3D=3D ---------------------------------------------------------------------------= ---- File New Target Baseline Ch= ange ---------------------------------------------------------------------------= ---- shpc.c 359/511 (70.3%) 0/511 (0.0%) +3= 59 pci_bridge.c 255/304 (83.9%) 12/304 (3.9%) +2= 43 pcie.c 390/774 (50.4%) 160/774 (20.7%) +2= 30 pcie_aer.c 119/524 (22.7%) 38/524 (7.3%) +81 pci.c 1154/2069 (55.8%) 1084/2069 (52.4%) +70 pcie_port.c 58/119 (48.7%) 17/119 (14.3%) +41 pci.h 86/132 (65.2%) 81/132 (61.4%) +5 =3D=3D=3D Component: hw/pci-bridge =3D=3D=3D ---------------------------------------------------------------------------= ---- File New Target Baseline Ch= ange ---------------------------------------------------------------------------= ---- pcie_root_port.c 86/127 (67.7%) 13/127 (10.2%) +73 pcie_pci_bridge.c 62/94 (66.0%) 20/94 (21.3%) +42 gen_pcie_root_port.c 45/66 (68.2%) 19/66 (28.8%) +26 Signed-off-by: Navid Emamdoost --- tests/qtest/fuzz/generic_fuzz_configs.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/gen= eric_fuzz_configs.h index ef0ad95712..e025f57a3e 100644 --- a/tests/qtest/fuzz/generic_fuzz_configs.h +++ b/tests/qtest/fuzz/generic_fuzz_configs.h @@ -247,6 +247,14 @@ const generic_fuzz_config predefined_configs[] =3D { .args =3D "-machine q35 -nodefaults " "-parallel file:/dev/null", .objects =3D "parallel*", + },{ + .name =3D "pcie-pci-bridge", + .args =3D "-machine q35 -nodefaults " + "-device pcie-root-port,port=3D0x10,chassis=3D1,id=3Dpci.1,bus=3Dp= cie.0,multifunction=3Dtrue,addr=3D0x2 " + "-device pcie-pci-bridge,id=3Dpci.2,bus=3Dpci.1,addr=3D0x0 " + "-netdev user,id=3Dnet0 " + "-device e1000,netdev=3Dnet0,id=3Dnic0,bus=3Dpci.2,addr=3D0x3", + .objects =3D "pci* shpc*" } }; =20 --=20 2.52.0.158.g65b55ccf14-goog