On 14/11/2018 02:38, Li Qiang wrote: > > > Paolo Bonzini <pbonz...@redhat.com <mailto:pbonz...@redhat.com>> 于2018 > 年11月14日周三 上午2:27写道: > > On 13/11/2018 11:17, Kevin Wolf wrote: > > Am 13.11.2018 um 02:45 hat Li Qiang geschrieben: > >> Ping.... what't the status of this patch. > >> > >> I see Kevin's new pr doesn't contain this patch. > > > > Oh, I thought you said that you wanted to fix this at a higher > level so > > that the problem is caught before even getting into nvme code? If you > > don't, I can apply the patch for my next pull request. > > As far as I know the bug doesn't exist. Li Qiang, if you have a > reproducer please send it. > > > Hello Paolo, > Though I've send the debug information and ASAN output in the mail to > secal...@redhat.com <mailto:secal...@redhat.com>, I'm glad provide here. > This is for read, I think the write the same but as the PoC is in > userspace, the mmap can only map the exact size of the MMIO, > So we can only write within the area. But if we using a module we can > write the out of MMIO I think > The nvme device's parameter should set as 'cmb_size_mb=2' and the PCI > address may differ in your system.
Ok, thanks. I've created a reproducer using qtest (though I have to run now and cannot post it properly). The patch for the fix is simply: diff --git a/hw/block/nvme.c b/hw/block/nvme.c index fc7dacb816..6385033af3 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -1192,7 +1192,7 @@ static const MemoryRegionOps nvme_cmb_ops = { .write = nvme_cmb_write, .endianness = DEVICE_LITTLE_ENDIAN, .impl = { - .min_access_size = 2, + .min_access_size = 1, .max_access_size = 8, }, }; The memory subsystem _is_ recognizing the out-of-bounds 32-bit access, but because min_access_size=2 it sends down a write at offset 2097151 and size 2. Paolo