On Tue, Oct 20, 2020 at 11:03:51AM +0200, Paolo Bonzini wrote:
> On 15/10/20 16:37, to...@linux.ibm.com wrote:
> > -static void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, Error **errp)
> > +void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error
> > **errp)
> > {
> > MemoryRegionSection mrs = memory_region_find(get_system_memory(),
> > - addr, 1);
> > + addr, size);
>
> You need to check size against mrs.size and fail if mrs.size is smaller.
> Otherwise, the ioctl can access memory out of range.
Good catch! I'm dequeuing it.
Is there a reason memory_region_find() doesn't ensure that by
default?
It looks like there's only one memory_region_find() call in the
code that doesn't expect the returned section to contain the
entire range (at platform_bus_map_mmio()). All the remaining
memory_region_find() calls either have size==1 (so it doesn't
matter) or have an extra check for MemoryRegionSection.size.
The call at virtio_balloon_handle_output() looks suspicious,
though, because it looks for a BALLOON_PAGE_SIZE range, but
there's no check for the returned section size.
--
Eduardo
