From nobody Tue Apr 21 14:36:48 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1776671558; cv=none; d=zohomail.com; s=zohoarc; b=lIOo0G6i4HqsQfmjh14Wk/UzmJAKwIrQn212IZ/yvnyHTmZA6hvVzSGW+/e5hPnfVKkQkxIoZ+Ivmc+ArQOnlhHyTz8t0LffdFSkuPqXxCFSxbLE5IhVtxnN/PwlnUfqppb24N8QQWHkY87sFfgqKknuxZjFumCUtXKPylL4JeQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776671558; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Y6sRFQU9hniZGz00f7FB0D0r1ItHeqZ+OWj5XypA2Tg=; b=TzicDiuofsGHWJWdB7CsIvl7VojAjcKDlHCbANChluRkiuNpp3STNZXu+fnFbUSvFrTxueqT4oMB6cH30vK2qBh6iDWT8NtkLyHOUOJTD6QkCKoXWuus+p/8EXOWEv43U05JAnNiYzmaXk9M5qQb7QjMznOjoHgqlMLbYquhuPU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1776671558942761.3255901177425; Mon, 20 Apr 2026 00:52:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wEjQV-0000YY-DZ; Mon, 20 Apr 2026 03:52:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wEjQU-0000YJ-3k for qemu-devel@nongnu.org; Mon, 20 Apr 2026 03:52:14 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wEjQS-0004gs-C5 for qemu-devel@nongnu.org; Mon, 20 Apr 2026 03:52:13 -0400 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-208-eGi1NL8sPICfsAMblAtSqg-1; Mon, 20 Apr 2026 03:52:06 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E7D5B180036E; Mon, 20 Apr 2026 07:52:04 +0000 (UTC) Received: from thuth-p1g4.redhat.com (unknown [10.44.49.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 15109195608E; Mon, 20 Apr 2026 07:52:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776671530; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Y6sRFQU9hniZGz00f7FB0D0r1ItHeqZ+OWj5XypA2Tg=; b=Uy/Wr9aVfDDn+R+fNYrBK1dqbAlwCIuQOLFUdXuTH4Ywn1nUh6eZs/24wauPFKM7Uwekp0 BXez6pexY3pEpA6WzoQeSbukkeCA2RGorgdtY0oz0CERwSqmcZQFPoYQr7gSg+pGvNWWSE Eg4QdHV98YRZ66M/qnVg2XdJnQv/wq4= X-MC-Unique: eGi1NL8sPICfsAMblAtSqg-1 X-Mimecast-MFC-AGG-ID: eGi1NL8sPICfsAMblAtSqg_1776671525 From: Thomas Huth To: Paolo Bonzini , Peter Xu , qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH] system/memory: Don't call MR handlers for bytes beyond the MR's size Date: Mon, 20 Apr 2026 09:51:59 +0200 Message-ID: <20260420075159.106615-1-thuth@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1776671562922154100 Content-Type: text/plain; charset="utf-8" From: Thomas Huth If a guest triggers a multi-byte read/write at the very end of a memory region, the code access_with_adjusted_size() still tries to access all bytes of the transfer, even if the final bytes are already beyond the memory region's size. If the device handler cannot cope with those accesses, bad things can happen, for example: $ echo "writew 0x800064 0x4142" | \ ./qemu-system-avr -M mega2560 -display none -qtest stdio -accel qtest [I 0.000001] OPENED [R +0.001750] writew 0x800064 0x4142 qemu-system-avr: ../../devel/qemu/hw/misc/avr_power.c:58: avr_mask_write: Assertion `offset =3D=3D 0' failed. Aborted (core dumped) We really should not call MR handlers for bytes that are beyond the MR's size, so let's add a check to limit the size in such cases. Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3393 Signed-off-by: Thomas Huth --- system/memory.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/system/memory.c b/system/memory.c index 56f3225b21a..2ff74c42e3f 100644 --- a/system/memory.c +++ b/system/memory.c @@ -531,6 +531,7 @@ static MemTxResult access_with_adjusted_size(hwaddr add= r, uint64_t access_mask; unsigned access_size; unsigned i; + unsigned int checked_size; MemTxResult r =3D MEMTX_OK; bool reentrancy_guard_applied =3D false; =20 @@ -557,13 +558,21 @@ static MemTxResult access_with_adjusted_size(hwaddr a= ddr, /* FIXME: support unaligned access? */ access_size =3D MAX(MIN(size, access_size_max), access_size_min); access_mask =3D MAKE_64BIT_MASK(0, access_size * 8); + + if (addr + size > mr->size) { + assert(addr < mr->size); + checked_size =3D mr->size - addr; + } else { + checked_size =3D size; + } + if (devend_big_endian(mr->ops->endianness)) { - for (i =3D 0; i < size; i +=3D access_size) { + for (i =3D 0; i < checked_size; i +=3D access_size) { r |=3D access_fn(mr, addr + i, value, access_size, (size - access_size - i) * 8, access_mask, attrs); } } else { - for (i =3D 0; i < size; i +=3D access_size) { + for (i =3D 0; i < checked_size; i +=3D access_size) { r |=3D access_fn(mr, addr + i, value, access_size, i * 8, access_mask, attrs); } --=20 2.53.0