Re: [PATCH 0/6] Add various undefined MMIO r/w functions
+-- On Wed, 17 Jun 2020, Paolo Bonzini wrote --+ | On 17/06/20 15:20, Philippe Mathieu-Daudé wrote: | > On 6/17/20 3:06 PM, Alex Williamson wrote: | >> On Wed, 17 Jun 2020 16:39:56 +1000 | >> David Gibson wrote: | >>> Hrm. If this is such a common problem, maybe we should just add a NULL | >>> check in the common paths. | >> | >> +1, clearly the behavior is already expected. Thanks, | > | > 20 months ago Peter suggested: | > | > "assert that every MemoryRegionOps has pointers to callbacks | > in it, when it is registered in memory_region_init_io() and | > memory_region_init_rom_device_nomigrate()." | > | > https://www.mail-archive.com/qemu-devel@nongnu.org/msg573310.html | > | > Li Qiang refers to this post from Paolo: | > | >> static const MemoryRegionOps notdirty_mem_ops = { | >> +.read = notdirty_mem_read, | >> .write = notdirty_mem_write, | >> .valid.accepts = notdirty_mem_accepts, | >> .endianness = DEVICE_NATIVE_ENDIAN, | > | > "This cannot happen, since TLB_NOTDIRTY is only added | > to the addr_write member (see accel/tcg/cputlb.c)." | | I'm now okay with asserting it, as long as notdirty_mem_read abort()s. Okay, I'm preparing a revised patch. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
On 17/06/20 15:20, Philippe Mathieu-Daudé wrote: > On 6/17/20 3:06 PM, Alex Williamson wrote: >> On Wed, 17 Jun 2020 16:39:56 +1000 >> David Gibson wrote: >> >>> On Wed, Jun 17, 2020 at 11:09:27AM +0530, P J P wrote: From: Prasad J Pandit Hello, This series adds various undefined MMIO read/write functions to avoid potential guest crash via a NULL pointer dereference. >>> >>> Hrm. If this is such a common problem, maybe we should just add a >>> NULL check in the common paths. >> >> +1, clearly the behavior is already expected. Thanks, > > 20 months ago Peter suggested: > > "assert that every MemoryRegionOps has pointers to callbacks > in it, when it is registered in memory_region_init_io() and > memory_region_init_rom_device_nomigrate()." > > https://www.mail-archive.com/qemu-devel@nongnu.org/msg573310.html > > Li Qiang refers to this post from Paolo: > >> static const MemoryRegionOps notdirty_mem_ops = { >> +.read = notdirty_mem_read, >> .write = notdirty_mem_write, >> .valid.accepts = notdirty_mem_accepts, >> .endianness = DEVICE_NATIVE_ENDIAN, > > "This cannot happen, since TLB_NOTDIRTY is only added > to the addr_write member (see accel/tcg/cputlb.c)." I'm now okay with asserting it, as long as notdirty_mem_read abort()s. Paolo
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
On 6/17/20 4:05 PM, Alex Bennée wrote: > > Philippe Mathieu-Daudé writes: > >> On 6/17/20 3:06 PM, Alex Williamson wrote: >>> On Wed, 17 Jun 2020 16:39:56 +1000 >>> David Gibson wrote: >>> On Wed, Jun 17, 2020 at 11:09:27AM +0530, P J P wrote: > From: Prasad J Pandit > > Hello, > > This series adds various undefined MMIO read/write functions > to avoid potential guest crash via a NULL pointer dereference. Hrm. If this is such a common problem, maybe we should just add a NULL check in the common paths. >>> >>> +1, clearly the behavior is already expected. Thanks, >> >> 20 months ago Peter suggested: >> >> "assert that every MemoryRegionOps has pointers to callbacks >> in it, when it is registered in memory_region_init_io() and >> memory_region_init_rom_device_nomigrate()." >> >> https://www.mail-archive.com/qemu-devel@nongnu.org/msg573310.html >> >> Li Qiang refers to this post from Paolo: >> >>> static const MemoryRegionOps notdirty_mem_ops = { >>> +.read = notdirty_mem_read, >>> .write = notdirty_mem_write, >>> .valid.accepts = notdirty_mem_accepts, >>> .endianness = DEVICE_NATIVE_ENDIAN, >> >> "This cannot happen, since TLB_NOTDIRTY is only added >> to the addr_write member (see accel/tcg/cputlb.c)." >> >> https://www.mail-archive.com/qemu-devel@nongnu.org/msg561345.html > > What about catching it in memory_region_dispatch_write: > > if (mr->ops->write) { > return access_with_adjusted_size(addr, , size, > mr->ops->impl.min_access_size, > mr->ops->impl.max_access_size, > memory_region_write_accessor, mr, > attrs); > } else if (mr->ops->write_with_attrs) { > return > access_with_adjusted_size(addr, , size, > mr->ops->impl.min_access_size, > mr->ops->impl.max_access_size, > memory_region_write_with_attrs_accessor, > mr, attrs); > } else { > qemu_log_mask(LOG_UNIMP|LOG_GUEST_ERROR, "%s: %s un-handled write\n", > __func__, mr->name); The problem is what return value to return... MEMTX_OK/MEMTX_ERROR/MEMTX_DECODE_ERROR? This is very device-specific and can't be decided here for all the cases. Better to abort() and fix each device? > } > >
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
Philippe Mathieu-Daudé writes: > On 6/17/20 3:06 PM, Alex Williamson wrote: >> On Wed, 17 Jun 2020 16:39:56 +1000 >> David Gibson wrote: >> >>> On Wed, Jun 17, 2020 at 11:09:27AM +0530, P J P wrote: From: Prasad J Pandit Hello, This series adds various undefined MMIO read/write functions to avoid potential guest crash via a NULL pointer dereference. >>> >>> Hrm. If this is such a common problem, maybe we should just add a >>> NULL check in the common paths. >> >> +1, clearly the behavior is already expected. Thanks, > > 20 months ago Peter suggested: > > "assert that every MemoryRegionOps has pointers to callbacks > in it, when it is registered in memory_region_init_io() and > memory_region_init_rom_device_nomigrate()." > > https://www.mail-archive.com/qemu-devel@nongnu.org/msg573310.html > > Li Qiang refers to this post from Paolo: > >> static const MemoryRegionOps notdirty_mem_ops = { >> +.read = notdirty_mem_read, >> .write = notdirty_mem_write, >> .valid.accepts = notdirty_mem_accepts, >> .endianness = DEVICE_NATIVE_ENDIAN, > > "This cannot happen, since TLB_NOTDIRTY is only added > to the addr_write member (see accel/tcg/cputlb.c)." > > https://www.mail-archive.com/qemu-devel@nongnu.org/msg561345.html What about catching it in memory_region_dispatch_write: if (mr->ops->write) { return access_with_adjusted_size(addr, , size, mr->ops->impl.min_access_size, mr->ops->impl.max_access_size, memory_region_write_accessor, mr, attrs); } else if (mr->ops->write_with_attrs) { return access_with_adjusted_size(addr, , size, mr->ops->impl.min_access_size, mr->ops->impl.max_access_size, memory_region_write_with_attrs_accessor, mr, attrs); } else { qemu_log_mask(LOG_UNIMP|LOG_GUEST_ERROR, "%s: %s un-handled write\n", __func__, mr->name); } -- Alex Bennée
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
On 6/17/20 3:06 PM, Alex Williamson wrote: > On Wed, 17 Jun 2020 16:39:56 +1000 > David Gibson wrote: > >> On Wed, Jun 17, 2020 at 11:09:27AM +0530, P J P wrote: >>> From: Prasad J Pandit >>> >>> Hello, >>> >>> This series adds various undefined MMIO read/write functions >>> to avoid potential guest crash via a NULL pointer dereference. >> >> Hrm. If this is such a common problem, maybe we should just add a >> NULL check in the common paths. > > +1, clearly the behavior is already expected. Thanks, 20 months ago Peter suggested: "assert that every MemoryRegionOps has pointers to callbacks in it, when it is registered in memory_region_init_io() and memory_region_init_rom_device_nomigrate()." https://www.mail-archive.com/qemu-devel@nongnu.org/msg573310.html Li Qiang refers to this post from Paolo: > static const MemoryRegionOps notdirty_mem_ops = { > +.read = notdirty_mem_read, > .write = notdirty_mem_write, > .valid.accepts = notdirty_mem_accepts, > .endianness = DEVICE_NATIVE_ENDIAN, "This cannot happen, since TLB_NOTDIRTY is only added to the addr_write member (see accel/tcg/cputlb.c)." https://www.mail-archive.com/qemu-devel@nongnu.org/msg561345.html
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
On Wed, 17 Jun 2020 16:39:56 +1000 David Gibson wrote: > On Wed, Jun 17, 2020 at 11:09:27AM +0530, P J P wrote: > > From: Prasad J Pandit > > > > Hello, > > > > This series adds various undefined MMIO read/write functions > > to avoid potential guest crash via a NULL pointer dereference. > > Hrm. If this is such a common problem, maybe we should just add a > NULL check in the common paths. +1, clearly the behavior is already expected. Thanks, Alex
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
On Wed, Jun 17, 2020 at 11:09:27AM +0530, P J P wrote: > From: Prasad J Pandit > > Hello, > > This series adds various undefined MMIO read/write functions > to avoid potential guest crash via a NULL pointer dereference. Hrm. If this is such a common problem, maybe we should just add a NULL check in the common paths. > > ex. -> > https://git.qemu.org/?p=qemu.git;a=commit;h=bb15013ef34617eb1344f5276292cadd326c21b2 > > Thank you. -- David Gibson| I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson signature.asc Description: PGP signature
Re: [PATCH 0/6] Add various undefined MMIO r/w functions
Patchew URL: https://patchew.org/QEMU/20200617053934.122642-1-ppan...@redhat.com/ Hi, This series failed the asan build test. Please find the testing commands and their output below. If you have Docker installed, you can probably reproduce it locally. === TEST SCRIPT BEGIN === #!/bin/bash export ARCH=x86_64 make docker-image-fedora V=1 NETWORK=1 time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1 === TEST SCRIPT END === CC qga/guest-agent-command-state.o CC qga/main.o CC qga/commands-posix.o /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) CC qga/channel-posix.o CC qga/qapi-generated/qga-qapi-types.o CC qga/qapi-generated/qga-qapi-visit.o --- GEN docs/interop/qemu-ga-ref.html GEN docs/interop/qemu-ga-ref.txt GEN docs/interop/qemu-ga-ref.7 /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-keymap /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKivshmem-client LINKivshmem-server /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-nbd /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-storage-daemon /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) AS pc-bios/optionrom/multiboot.o /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-img AS pc-bios/optionrom/linuxboot.o /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) CC pc-bios/optionrom/linuxboot_dma.o AS pc-bios/optionrom/kvmvapic.o AS pc-bios/optionrom/pvh.o CC pc-bios/optionrom/pvh_main.o BUILD pc-bios/optionrom/multiboot.img LINKqemu-io /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) BUILD pc-bios/optionrom/linuxboot.img BUILD pc-bios/optionrom/linuxboot_dma.img BUILD pc-bios/optionrom/kvmvapic.img --- LINKfsdev/virtfs-proxy-helper BUILD pc-bios/optionrom/linuxboot.raw BUILD pc-bios/optionrom/multiboot.raw /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) BUILD pc-bios/optionrom/kvmvapic.raw SIGNpc-bios/optionrom/linuxboot.bin LINKscsi/qemu-pr-helper SIGNpc-bios/optionrom/linuxboot_dma.bin SIGNpc-bios/optionrom/kvmvapic.bin LINKqemu-bridge-helper /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) SIGNpc-bios/optionrom/multiboot.bin LINKvirtiofsd /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from