From nobody Thu Apr 18 11:42:34 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1675134152; cv=none; d=zohomail.com; s=zohoarc; b=ICMFXy/P+AuqbGJhh8NK7otIiXQZ7dx35H90cYYmkOLd2MkMkExFJWK90bUjssODC4ALjqpSzZDNgH8JAfcYOGUAACdOy3vaQCIkj8E0oVw71LKNKC+ycfoWkDho0RmAH2ILs9PlclQXr4a5GhCN9i7QtbR+VaYHU9W432rEu0M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1675134152; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject; bh=xmPVWHsYTl+pKuj/umNSaH4m0dh1m1gnSRWlI0Es1wA=; b=ZKVOXa++vIOoOu0Oj2+TeIfTi/46iDbBlR+WOG8mVQOsdOiDNBW0qTa2XreKXrzoCKwRv5HsjurrD0bdAyac71oCpZEJSQzFAtcC0dRZJEKpmehdnZTQzMXxjKUQC17iO4Ai7Nax3zCOSecbaB2W35gdmo+9NzvW2vbBAzXCCk4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1675134152319476.16164101008303; Mon, 30 Jan 2023 19:02:32 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pMguT-0005E0-Qb; Mon, 30 Jan 2023 22:02:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pMguM-0005Di-Dl for qemu-devel@nongnu.org; Mon, 30 Jan 2023 22:02:06 -0500 Received: from mail-pl1-x62c.google.com ([2607:f8b0:4864:20::62c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pMguI-0004f0-Mq for qemu-devel@nongnu.org; Mon, 30 Jan 2023 22:02:05 -0500 Received: by mail-pl1-x62c.google.com with SMTP id k13so13766475plg.0 for ; Mon, 30 Jan 2023 19:02:01 -0800 (PST) Received: from alarm.flets-east.jp ([2400:4050:a840:1e00:4457:c267:5e09:481b]) by smtp.gmail.com with ESMTPSA id b19-20020a170902ed1300b001944b1285easm8478942pld.198.2023.01.30.19.01.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Jan 2023 19:02:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daynix-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xmPVWHsYTl+pKuj/umNSaH4m0dh1m1gnSRWlI0Es1wA=; b=ar4OF4xYmfgT4PwF+d1WqgKwWZusO50OsjWbNbm0cx8giG84zvJmtu03Y5gQMjKMXy WsGvJzGi6W9PtYC1ZvrxYRnUB51se3Zd1E7DYnwlVfnOLwS6yblSkMuKpA587u2uHsTM A0FLY8wv2d4btGvc+pxN0aWpf1ZIWX1WBU0MPlSQiC4x2Sp1kt5aM9H4C1NZBrf0EQmE ZF3febIoeqhEcLKR0vm+xyEOf/h6dkxrmkPMF8rSs96M2l0t322f2KPFRBgqLHrz3rK9 C8JZEE8Plyx3PkfTtkBaEAOG6oUam2hhD3sVFr5kiG5FevKRhTarFAVTAUPKwbVlI0Hn sGog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xmPVWHsYTl+pKuj/umNSaH4m0dh1m1gnSRWlI0Es1wA=; b=3+VQU3LIVdJ8Cku3UV7sx65R8xuyiwMMdtrEQBx17FzjNEVmRIawq00Y8L9leNEXML 7J/VrNCPfDN/vBN3+q6M8wBBhvkT0SJH0O8QjY1FZwrQnflcny6FvjAqpk7qC+A5dkij A57uPJQiQbMK4B60oIthg+gH3Lo1NYyfbNZr1jkp2JTugRjZ0atB7ll7A9p75IIpQWBh kbDL+cn0Nl2f0QyVSBT4KguFdOKwhJ5mGtcr18Xl0+GFRG2oRvIAs9M53V6Qh+dRZj3S GWVySB+xOoDCNDAw0vpXV4B/MSRs9Iu92zs+aYUlNl8KVc23qUZrL0rTGh78RgRV8cAW 8I3Q== X-Gm-Message-State: AO0yUKV4qe8YihixCO4NVdSjq47q5jqxP2Zv0BTqKLRjdjb2+SsBfeOx Q2bS9UfVfi3yykAy5ypTB8/Frw== X-Google-Smtp-Source: AK7set/2w7VsCX9hxzZiASObk/IG1bi5eZU9KL4Jc+smkyhweecJs195py/obg0c+5iLT3HlPZoKLA== X-Received: by 2002:a17:902:f690:b0:196:6301:9e74 with SMTP id l16-20020a170902f69000b0019663019e74mr14509110plg.20.1675134120946; Mon, 30 Jan 2023 19:02:00 -0800 (PST) From: Akihiko Odaki To: Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-devel@nongnu.org, David Hildenbrand , Peter Xu , Paolo Bonzini , Alexander Bulekov , Akihiko Odaki Subject: [PATCH v2] softmmu: Use memmove in flatview_write_continue Date: Tue, 31 Jan 2023 12:01:55 +0900 Message-Id: <20230131030155.18932-1-akihiko.odaki@daynix.com> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=2607:f8b0:4864:20::62c; envelope-from=akihiko.odaki@daynix.com; helo=mail-pl1-x62c.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @daynix-com.20210112.gappssmtp.com) X-ZM-MESSAGEID: 1675134154111100003 Content-Type: text/plain; charset="utf-8" We found a case where the source passed to flatview_write_continue() may overlap with the destination when fuzzing igb, a new proposed network device with sanitizers. igb uses pci_dma_map() to get Tx packet, and pci_dma_write() to write Rx buffer. While pci_dma_write() is usually used to write data from memory not mapped to the guest, if igb is configured to perform loopback, the data will be sourced from the guest memory. The source and destination can overlap and the usage of memcpy() will be invalid in such a case. While we do not really have to deal with such an invalid request for igb, detecting the overlap in igb code beforehand requires complex code, and only covers this specific case. Instead, just replace memcpy() with memmove() to tolerate overlaps. Using memmove() will slightly damage the performance as it will need to check overlaps before using SIMD instructions for copying, but the cost should be negligible, considering the inherent complexity of flatview_write_continue(). The test cases generated by the fuzzer is available at: https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/ The fixed test case is: fuzz/crash_47dfe62d9f911bf523ff48cd441b61c0013ed805 Signed-off-by: Akihiko Odaki Acked-by: Alexander Bulekov Acked-by: David Hildenbrand --- V1 -> V2: Correct spellings in the message softmmu/physmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/softmmu/physmem.c b/softmmu/physmem.c index cb998cdf23..3cd27b1c9d 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -2828,7 +2828,7 @@ static MemTxResult flatview_write_continue(FlatView *= fv, hwaddr addr, } else { /* RAM case */ ram_ptr =3D qemu_ram_ptr_length(mr->ram_block, addr1, &l, fals= e); - memcpy(ram_ptr, buf, l); + memmove(ram_ptr, buf, l); invalidate_and_set_dirty(mr, addr1, l); } =20 --=20 2.39.1