Patchwork [1/2] exec: Fix bounce buffer allocation in address_space_map()

login
register
mail settings
Submitter Kevin Wolf
Date July 22, 2013, 12:43 p.m.
Message ID <1374497038-22136-2-git-send-email-kwolf@redhat.com>
Download mbox | patch
Permalink /patch/260684/
State New
Headers show

Comments

Kevin Wolf - July 22, 2013, 12:43 p.m.
This fixes a regression introduced by commit e3127ae0c, which kept the
allocation size of the bounce buffer limited to one page in order to
avoid unbounded allocations (as explained in the commit message of
6d16c2f88), but broke the reporting of the shortened bounce buffer to
the caller. The caller therefore assumes that the full requested size
was provided and causes memory corruption when writing beyond the end of
the actually allocated buffer.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 exec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Paolo Bonzini - July 22, 2013, 1:06 p.m.
Il 22/07/2013 14:43, Kevin Wolf ha scritto:
> -        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
> +        /* Avoid unbounded allocations */
> +        l = TARGET_PAGE_SIZE;

This should be l = MIN(l, TARGET_PAGE_SIZE).  Otherwise the patch is okay.

Paolo

> +        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);
Kevin Wolf - July 22, 2013, 1:55 p.m.
Am 22.07.2013 um 15:06 hat Paolo Bonzini geschrieben:
> Il 22/07/2013 14:43, Kevin Wolf ha scritto:
> > -        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
> > +        /* Avoid unbounded allocations */
> > +        l = TARGET_PAGE_SIZE;
> 
> This should be l = MIN(l, TARGET_PAGE_SIZE).  Otherwise the patch is okay.

Heh, okay. That's what I first had, but then I changed it to revert to
the original behaviour, because I wasn't sure if qemu_memalign requires
the size to be aligned as well.

I'll send a v2.

Kevin

Patch

diff --git a/exec.c b/exec.c
index c99a883..53cbbdf 100644
--- a/exec.c
+++ b/exec.c
@@ -2165,7 +2165,9 @@  void *address_space_map(AddressSpace *as,
         if (bounce.buffer) {
             return NULL;
         }
-        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
+        /* Avoid unbounded allocations */
+        l = TARGET_PAGE_SIZE;
+        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);
         bounce.addr = addr;
         bounce.len = l;