[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] fuzz: fix sparse memory access in the DMA callback

From: Philippe Mathieu-Daudé
Subject: Re: [PATCH] fuzz: fix sparse memory access in the DMA callback
Date: Tue, 6 Jul 2021 22:39:36 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0

On 7/6/21 6:17 PM, Alexander Bulekov wrote:
> The code mistakenly relied on address_space_translate to store the
> length remaining until the next memory-region. We care about this
> because when there is RAM or sparse-memory neighboring on an MMIO
> region, we should only write up to the border, to prevent inadvertently
> invoking MMIO handlers within the DMA callback.
> However address_space_translate_internal only stores the length until
> the end of the MemoryRegion if memory_region_is_ram(mr). Otherwise
> the *len is left unmodified. This caused some false-positive issues,
> where the fuzzer found a way to perform a nested MMIO write through a
> DMA callback on an [address, length] that started within sparse memory
> and spanned some device MMIO regions.
> To fix this, write to sparse memory in small chunks of
> memory_access_size (similar to the underlying address_space_write code),
> which will prevent accidentally hitting MMIO handlers through large
> writes.
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
>  tests/qtest/fuzz/generic_fuzz.c | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]