Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_

From:	Paolo Bonzini
Subject:	Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers
Date:	Thu, 9 Jul 2020 19:36:53 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0

On 09/07/20 17:51, Li Qiang wrote:
> Maybe we should check whether the address is a RAM address in 'dma_memory_rw'?
> But it is a hot path. I'm not sure it is right. Hope more discussion.

Half of the purpose of dma-helpers.c (as opposed to address_space_*
functions in exec.c) is exactly to support writes to MMIO.  This is
especially true of dma_blk_io, which takes care of doing the DMA via a
bounce buffer, possibly in multiple steps and even blocking due to
cpu_register_map_client.

For dma_memory_rw this is not needed, so it only needs to handle
QEMUSGList, but I think the design should be the same.

However, this is indeed a nightmare for re-entrancy.  The easiest
solution is to delay processing of descriptors to a bottom half whenever
MMIO is doing something complicated.  This is also better for latency
because it will free the vCPU thread more quickly and leave the work to
the I/O thread.

Paolo

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Alexander Bulekov, 2020/07/05
- [Bug 1886362] Re: Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Philippe Mathieu-Daudé, 2020/07/07
- Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Li Qiang, 2020/07/09
  - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Paolo Bonzini <=
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Li Qiang, 2020/07/10
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Jason Wang, 2020/07/14
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Li Qiang, 2020/07/14
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Jason Wang, 2020/07/15
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Peter Maydell, 2020/07/21
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Jason Wang, 2020/07/21
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Peter Maydell, 2020/07/21
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Alexander Bulekov, 2020/07/21
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Jason Wang, 2020/07/21
    - Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers, Li Qiang, 2020/07/21

Prev by Date: Re: [PATCH] hw/register: Document register_init_block @memory_size
Next by Date: Re: [PATCH v5 01/11] hw/misc: Add NPCM7xx System Global Control Registers device model
Previous by thread: Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers
Next by thread: Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers
Index(es):
- Date
- Thread