Commit b218a70e authored by David Gibson's avatar David Gibson Committed by Michael S. Tsirkin
Browse files

virtio-balloon: Corrections to address verification 



The virtio-balloon device's verification of the address given to it by the
guest has a number of faults:
    * The addresses here are guest physical addresses, which should be
      'hwaddr' rather than 'ram_addr_t' (the distinction is admittedly
      pretty subtle and confusing)
    * We don't check for section.mr being NULL, which is the main way that
      memory_region_find() reports basic failures.  We really need to check
      that before looking at any other section fields, because
      memory_region_find() doesn't initialize them on the failure path
    * We're passing a length of '1' to memory_region_find(), but really the
      guest is requesting that we put the entire page into the balloon,
      so it makes more sense to call it with BALLOON_PAGE_SIZE

Signed-off-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Message-Id: <20190214043916.22128-3-david@gibson.dropbear.id.au>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
parent f6deb6d9

hw/virtio/virtio-balloon.c

+10 −7
Original line number Diff line number Diff line
@@ -221,17 +221,20 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq) 
        }



        while (iov_to_buf(elem->out_sg, elem->out_num, offset, &pfn, 4) == 4) {

            ram_addr_t pa;

            ram_addr_t addr;

            hwaddr pa;

            hwaddr addr;

            int p = virtio_ldl_p(vdev, &pfn);



            pa = (ram_addr_t) p << VIRTIO_BALLOON_PFN_SHIFT;

            pa = (hwaddr) p << VIRTIO_BALLOON_PFN_SHIFT;

            offset += 4;



            /* FIXME: remove get_system_memory(), but how? */

            section = memory_region_find(get_system_memory(), pa, 1);

            if (!int128_nz(section.size) ||

                !memory_region_is_ram(section.mr) ||

            section = memory_region_find(get_system_memory(), pa,

                                         BALLOON_PAGE_SIZE);

            if (!section.mr) {

                trace_virtio_balloon_bad_addr(pa);

                continue;

            }

            if (!memory_region_is_ram(section.mr) ||

                memory_region_is_rom(section.mr) ||

                memory_region_is_romd(section.mr)) {

                trace_virtio_balloon_bad_addr(pa);