[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] fuzz: fix sparse memory access in the DMA callback
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [PATCH] fuzz: fix sparse memory access in the DMA callback |
|
Date: |
Tue, 6 Jul 2021 22:39:36 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
On 7/6/21 6:17 PM, Alexander Bulekov wrote:
> The code mistakenly relied on address_space_translate to store the
> length remaining until the next memory-region. We care about this
> because when there is RAM or sparse-memory neighboring on an MMIO
> region, we should only write up to the border, to prevent inadvertently
> invoking MMIO handlers within the DMA callback.
>
> However address_space_translate_internal only stores the length until
> the end of the MemoryRegion if memory_region_is_ram(mr). Otherwise
> the *len is left unmodified. This caused some false-positive issues,
> where the fuzzer found a way to perform a nested MMIO write through a
> DMA callback on an [address, length] that started within sparse memory
> and spanned some device MMIO regions.
>
> To fix this, write to sparse memory in small chunks of
> memory_access_size (similar to the underlying address_space_write code),
> which will prevent accidentally hitting MMIO handlers through large
> writes.
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> tests/qtest/fuzz/generic_fuzz.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>