[v4] intel_iommu: fix guest-triggerable assert in MMIO handlers

[PATCH v4 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Posted by Junjie Cao 1 week, 3 days ago

An 8-byte guest access to a 32-bit-only VT-d register hits
assert(size == 4) and aborts QEMU.  Found by generic-fuzz.

v1: https://lore.kernel.org/all/20260420170523.17908-1-junjie.cao@intel.com/
v2: https://lore.kernel.org/all/20260424201842.176953-1-junjie.cao@intel.com/
v3: https://lore.kernel.org/all/20260506031942.251335-1-junjie.cao@intel.com/

Changes in v4:
  - Switch the guest-error log from error_report_once() to
    qemu_log_mask(LOG_GUEST_ERROR, ...) so it is surfaced only
    under -d guest_errors (Zhenzhong).
  - Add a block comment at each of the 4 reachable sites
    (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0)
    explaining why the check must stay, so future readers do
    not delete it as "harmless" (Yi).
  - No functional change beyond the logging-API swap.

Changes in v3:
  - Drop v2's min_access_size=8 approach: per Zhenzhong, it
    silently zero-extends 4-byte guest writes, wiping upper
    wmask bits of 64-bit registers and firing triggers gated
    on size==8.
  - Keep min_access_size=4.  Remove the 25 assert(size == 4)
    sites: 21 are unreachable (non-8-aligned), the 4 reachable
    (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) fall
    through to vtd_set_long() and log a guest error.

Junjie Cao (2):
  intel_iommu: fix guest-triggerable abort on oversized MMIO access
  tests/qtest: add 8-byte MMIO access sweep for intel-iommu

 hw/i386/intel_iommu.c          | 74 ++++++++++++++++++++++------------
 tests/qtest/intel-iommu-test.c | 30 ++++++++++++++
 2 files changed, 79 insertions(+), 25 deletions(-)


base-commit: 5e61afe211e82a9af15a8794a0bd29bb574e953b
-- 
2.43.0

RE: [PATCH v4 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Posted by Duan, Zhenzhong 3 hours ago


>-----Original Message-----
>From: Cao, Junjie <junjie.cao@intel.com>
>Subject: [PATCH v4 0/2] intel_iommu: fix guest-triggerable assert in MMIO
>handlers
>
>An 8-byte guest access to a 32-bit-only VT-d register hits
>assert(size == 4) and aborts QEMU.  Found by generic-fuzz.
>
>v1: https://lore.kernel.org/all/20260420170523.17908-1-junjie.cao@intel.com/
>v2: https://lore.kernel.org/all/20260424201842.176953-1-junjie.cao@intel.com/
>v3: https://lore.kernel.org/all/20260506031942.251335-1-junjie.cao@intel.com/
>
>Changes in v4:
>  - Switch the guest-error log from error_report_once() to
>    qemu_log_mask(LOG_GUEST_ERROR, ...) so it is surfaced only
>    under -d guest_errors (Zhenzhong).
>  - Add a block comment at each of the 4 reachable sites
>    (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0)
>    explaining why the check must stay, so future readers do
>    not delete it as "harmless" (Yi).
>  - No functional change beyond the logging-API swap.
>
>Changes in v3:
>  - Drop v2's min_access_size=8 approach: per Zhenzhong, it
>    silently zero-extends 4-byte guest writes, wiping upper
>    wmask bits of 64-bit registers and firing triggers gated
>    on size==8.
>  - Keep min_access_size=4.  Remove the 25 assert(size == 4)
>    sites: 21 are unreachable (non-8-aligned), the 4 reachable
>    (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) fall
>    through to vtd_set_long() and log a guest error.
>
>Junjie Cao (2):
>  intel_iommu: fix guest-triggerable abort on oversized MMIO access
>  tests/qtest: add 8-byte MMIO access sweep for intel-iommu
>
> hw/i386/intel_iommu.c          | 74 ++++++++++++++++++++++------------
> tests/qtest/intel-iommu-test.c | 30 ++++++++++++++
> 2 files changed, 79 insertions(+), 25 deletions(-)
>
>
>base-commit: 5e61afe211e82a9af15a8794a0bd29bb574e953b
>--
>2.43.0

For the whole series,

Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>

Thanks
Zhenzhong

Re: [PATCH v4 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Posted by Yi Liu 1 week, 4 days ago

On 5/15/26 02:07, Junjie Cao wrote:
> An 8-byte guest access to a 32-bit-only VT-d register hits
> assert(size == 4) and aborts QEMU.  Found by generic-fuzz.
> 
> v1: https://lore.kernel.org/all/20260420170523.17908-1-junjie.cao@intel.com/
> v2: https://lore.kernel.org/all/20260424201842.176953-1-junjie.cao@intel.com/
> v3: https://lore.kernel.org/all/20260506031942.251335-1-junjie.cao@intel.com/
> 
> Changes in v4:
>    - Switch the guest-error log from error_report_once() to
>      qemu_log_mask(LOG_GUEST_ERROR, ...) so it is surfaced only
>      under -d guest_errors (Zhenzhong).
>    - Add a block comment at each of the 4 reachable sites
>      (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0)
>      explaining why the check must stay, so future readers do
>      not delete it as "harmless" (Yi).
>    - No functional change beyond the logging-API swap.
> 
> Changes in v3:
>    - Drop v2's min_access_size=8 approach: per Zhenzhong, it
>      silently zero-extends 4-byte guest writes, wiping upper
>      wmask bits of 64-bit registers and firing triggers gated
>      on size==8.
>    - Keep min_access_size=4.  Remove the 25 assert(size == 4)
>      sites: 21 are unreachable (non-8-aligned), the 4 reachable
>      (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) fall
>      through to vtd_set_long() and log a guest error.
> 
> Junjie Cao (2):
>    intel_iommu: fix guest-triggerable abort on oversized MMIO access
>    tests/qtest: add 8-byte MMIO access sweep for intel-iommu
> 
>   hw/i386/intel_iommu.c          | 74 ++++++++++++++++++++++------------
>   tests/qtest/intel-iommu-test.c | 30 ++++++++++++++
>   2 files changed, 79 insertions(+), 25 deletions(-)
> 
> 
> base-commit: 5e61afe211e82a9af15a8794a0bd29bb574e953b

LGTM. Thanks.

Reviewed-by: Yi Liu <yi.l.liu@intel.com>