[v3] intel_iommu: fix guest-triggerable assert in MMIO handlers

[PATCH v3 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Junjie Cao posted 2 patches 2 weeks, 6 days ago

Diff against v2 v4

Only 0 patches received!

There is a newer version of this series

hw/i386/intel_iommu.c          | 41 +++++++++++++---------------------
tests/qtest/intel-iommu-test.c | 30 +++++++++++++++++++++++++
2 files changed, 46 insertions(+), 25 deletions(-)

Expand all Fold all

[PATCH v3 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Posted by Junjie Cao 2 weeks, 6 days ago

An 8-byte guest access to a 32-bit-only VT-d register hits
assert(size == 4) and aborts QEMU.  Found by generic-fuzz.

v1: https://lore.kernel.org/all/20260420170523.17908-1-junjie.cao@intel.com/
v2: https://lore.kernel.org/all/20260424201842.176953-1-junjie.cao@intel.com/

Changes in v3:
  - Drop v2's min_access_size=8 approach: per Zhenzhong, it
    silently zero-extends 4-byte guest writes, wiping upper
    wmask bits of 64-bit registers and firing triggers gated
    on size==8.
  - Keep min_access_size=4.  Remove the 25 assert(size == 4)
    sites: 21 are unreachable (non-8-aligned), the 4 reachable
    (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) fall
    through to vtd_set_long() and log a guest error.

Junjie Cao (2):
  intel_iommu: fix guest-triggerable abort on oversized MMIO access
  tests/qtest: add 8-byte MMIO access sweep for intel-iommu

 hw/i386/intel_iommu.c          | 41 +++++++++++++---------------------
 tests/qtest/intel-iommu-test.c | 30 +++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 25 deletions(-)


base-commit: da6c4fe60fee30dd77267764d55b38af9cb89d4b
-- 
2.43.0