From nobody Sun Dec 29 18:54:37 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1720047099; cv=none; d=zohomail.com; s=zohoarc; b=iS/vP+Wr37z7d1ZjIGIWjaRkMWiUhZHidQJzf7NWyVDcJSzcm/PskkocGIi6aT3gj9aY4pUqygnO1krG00dtcLekNMzDpeYzGNpeUEVb5QVZSH8Gr0PxUvIx2ZE6mBM3dpuXhnPJsb2fC6R0VjZrwwu1iaqM63Yt842nnqa755c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1720047099; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=f1RnRBcwUZd5byR6UedM+mwZMcF5dchy820Keg4IB1o=; b=OdWx013j9FhU1MsGdaalCh7snwEfk10ZlhhoV++pKNiqUzVK/UD1RpbRwpyra06ostqxJyUWPrLvTJyQCADjWS9v1utImIyz5Jn8hkrhHtlb0AxBgPQQBdk5lBpP/oOMJykR4ql4EptW3C3ATKlIcFla+XO03mMmdsMWGrKDaTk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 172004709923440.94753154607406; Wed, 3 Jul 2024 15:51:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sP8lQ-0006Lt-Mg; Wed, 03 Jul 2024 18:47:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sP8lP-0006Fo-89 for qemu-devel@nongnu.org; Wed, 03 Jul 2024 18:47:47 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sP8lN-0001yl-FV for qemu-devel@nongnu.org; Wed, 03 Jul 2024 18:47:46 -0400 Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-628-ElRzljU7NOuDcNr_xasF0A-1; Wed, 03 Jul 2024 18:47:42 -0400 Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-52ce7a15a62so6360329e87.3 for ; Wed, 03 Jul 2024 15:47:42 -0700 (PDT) Received: from redhat.com ([2a0d:6fc7:441:91a8:a47d:5a9:c02f:92f2]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-58de4581536sm469309a12.16.2024.07.03.15.47.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jul 2024 15:47:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1720046863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f1RnRBcwUZd5byR6UedM+mwZMcF5dchy820Keg4IB1o=; b=jIg29T0nQdx/vBqSySmm5NESYfBHE92i1LLfDcbb7m/lqVftofepqnqOz+Mau4pWl/FPzn zAiZlHw5azfFV85aU2TFwVIvYEEzRSPIl84ckpCh/0ZtjAdkdSJj9xYfMf1TqjxghZ7evE Rm571E2cAL5HK1b9U6HG6oiJFXAeVrQ= X-MC-Unique: ElRzljU7NOuDcNr_xasF0A-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720046861; x=1720651661; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=f1RnRBcwUZd5byR6UedM+mwZMcF5dchy820Keg4IB1o=; b=d7andKQs6seXXyD5oY1wswAboUBoyxfEI2lMRN9woGuLhu1rga2iOXfn8mqznae9f2 t6+R63ZVcxi5hdpy9mnayMmPCXXKsqIiipYlsUruTMbKE0JTydjgBpPllxG5+5k7b3tB YvY1/KKVeT6QMLDMs/RSzac5CPKZfunIdqkCbf3uqBphD5NJVbkilpZhpUKk/5U39Mc3 zXEIB+hrs8CBLTXKrCSGIqLrdk+4mRDL3t7RVLN1HOi9N6QTcj/UU+r/m17p7Df0S+LN agfSp71VSuNb4KakSVyqrB0rZ6RJgQZumMJ/JJ2l56HAoXurIk9gh4UuP41mrYGwqlYf 39ww== X-Gm-Message-State: AOJu0YzOzpFKc0jyCbYJnw6IOo9SaseAONk9LJoOxRBhpjBiNV8FPJOS 3OPOMiTaDaujoTQ72VKMxam9mVjiQfgQYkfwemzbW4wuDvo6rNXxpnP/eYaEZZ1IpfE3elY3m1a ve0YXV2xi1Bye6S2ok3ak3D1V0zYyaN2MsYd1U+FJCVynazgj+PoPQszMqpK/ntarvBy1aLcJNP 0njjjJbG0NFhQmH1JjFexf9GQkdH+gTQ== X-Received: by 2002:a05:6512:104c:b0:52c:e133:7b2e with SMTP id 2adb3069b0e04-52e8268b956mr8673589e87.35.1720046860963; Wed, 03 Jul 2024 15:47:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFOFyv9bE/A2/4QPauIzJPfpNAjXyFMaCGFIXPPZdL1FvIMdqSIufgqUtSGivODNvqiGZbbzg== X-Received: by 2002:a05:6512:104c:b0:52c:e133:7b2e with SMTP id 2adb3069b0e04-52e8268b956mr8673570e87.35.1720046860184; Wed, 03 Jul 2024 15:47:40 -0700 (PDT) Date: Wed, 3 Jul 2024 18:47:36 -0400 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Cc: Peter Maydell , Manos Pitsidianakis , Zheyu Ma , Eric Auger Subject: [PULL v3 43/85] virtio-iommu: add error check before assert Message-ID: <704391f94a5494f10b886ba79c157363a79b1239.1720046570.git.mst@redhat.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.27.0.106.g8ac3dc51b1 X-Mutt-Fcc: =sent Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=mst@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1720047101136100009 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Manos Pitsidianakis A fuzzer case discovered by Zheyu Ma causes an assert failure. Add a check before the assert, and respond with an error before moving on to the next queue element. To reproduce the failure: cat << EOF | \ qemu-system-x86_64 \ -display none -machine accel=3Dqtest -m 512M -machine q35 -nodefaults \ -device virtio-iommu -qtest stdio outl 0xcf8 0x80000804 outw 0xcfc 0x06 outl 0xcf8 0x80000820 outl 0xcfc 0xe0004000 write 0x10000e 0x1 0x01 write 0xe0004020 0x4 0x00001000 write 0xe0004028 0x4 0x00101000 write 0xe000401c 0x1 0x01 write 0x106000 0x1 0x05 write 0x100001 0x1 0x60 write 0x100002 0x1 0x10 write 0x100009 0x1 0x04 write 0x10000c 0x1 0x01 write 0x100018 0x1 0x04 write 0x10001c 0x1 0x02 write 0x101003 0x1 0x01 write 0xe0007001 0x1 0x00 EOF Reported-by: Zheyu Ma Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2359 Signed-off-by: Manos Pitsidianakis Message-Id: <20240613-fuzz-2359-fix-v2-manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/virtio/virtio-iommu.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c index b9a7ddcd14..ed7426afc7 100644 --- a/hw/virtio/virtio-iommu.c +++ b/hw/virtio/virtio-iommu.c @@ -974,6 +974,9 @@ static void virtio_iommu_handle_command(VirtIODevice *v= dev, VirtQueue *vq) iov =3D elem->out_sg; sz =3D iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head)); if (unlikely(sz !=3D sizeof(head))) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: read %zu bytes from command head" + "but expected %zu\n", __func__, sz, sizeof(head)= ); tail.status =3D VIRTIO_IOMMU_S_DEVERR; goto out; } @@ -1010,6 +1013,25 @@ static void virtio_iommu_handle_command(VirtIODevice= *vdev, VirtQueue *vq) out: sz =3D iov_from_buf(elem->in_sg, elem->in_num, 0, buf ? buf : &tail, output_size); + if (unlikely(sz !=3D output_size)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: wrote %zu bytes to command response" + "but response size is %zu\n", + __func__, sz, output_size); + tail.status =3D VIRTIO_IOMMU_S_DEVERR; + /* + * We checked that sizeof(tail) can fit to elem->in_sg at the + * beginning of the loop + */ + output_size =3D sizeof(tail); + g_free(buf); + buf =3D NULL; + sz =3D iov_from_buf(elem->in_sg, + elem->in_num, + 0, + &tail, + output_size); + } assert(sz =3D=3D output_size); =20 virtqueue_push(vq, elem, sz); --=20 MST