{"id":1839945,"url":"http://patchwork.ozlabs.org/api/patches/1839945/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20230926201532.221152-2-vsementsov@yandex-team.ru/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20230926201532.221152-2-vsementsov@yandex-team.ru>","list_archive_url":null,"date":"2023-09-26T20:15:25","name":"[v2,1/8] hw/i386/intel_iommu: vtd_slpte_nonzero_rsvd(): assert no overflow","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"953bea3b510817b7faca5a27a348b9c443166c85","submitter":{"id":84116,"url":"http://patchwork.ozlabs.org/api/people/84116/?format=json","name":"Vladimir Sementsov-Ogievskiy","email":"vsementsov@yandex-team.ru"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20230926201532.221152-2-vsementsov@yandex-team.ru/mbox/","series":[{"id":375000,"url":"http://patchwork.ozlabs.org/api/series/375000/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=375000","date":"2023-09-26T20:15:27","name":"coverity fixes","version":2,"mbox":"http://patchwork.ozlabs.org/series/375000/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/1839945/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/1839945/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=yandex-team.ru header.i=@yandex-team.ru\n header.a=rsa-sha256 header.s=default header.b=g8iwTxPX;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)","mail-nwsmtp-smtp-corp-main-62.myt.yp-c.yandex.net;\n dkim=pass header.i=@yandex-team.ru"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Rw9z94xZ3z1ypD\n\tfor ; Wed, 27 Sep 2023 06:17:57 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1qlETa-0000Y6-0d; Tue, 26 Sep 2023 16:16:10 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1qlETX-0000Wx-MZ\n for qemu-devel@nongnu.org; Tue, 26 Sep 2023 16:16:07 -0400","from forwardcorp1c.mail.yandex.net ([178.154.239.200])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1qlETS-0002gw-FL\n for qemu-devel@nongnu.org; Tue, 26 Sep 2023 16:16:07 -0400","from mail-nwsmtp-smtp-corp-main-62.myt.yp-c.yandex.net\n (mail-nwsmtp-smtp-corp-main-62.myt.yp-c.yandex.net\n [IPv6:2a02:6b8:c12:550b:0:640:d49b:0])\n by forwardcorp1c.mail.yandex.net (Yandex) with ESMTP id D06A660B81;\n Tue, 26 Sep 2023 23:15:55 +0300 (MSK)","from vsementsov-lin.. (unknown [2a02:6b8:b081:b41d::1:39])\n by mail-nwsmtp-smtp-corp-main-62.myt.yp-c.yandex.net (smtpcorp/Yandex) with\n ESMTPSA id ZFWwvr0Oc0U0-5hDZfIZL; Tue, 26 Sep 2023 23:15:55 +0300"],"Precedence":"bulk","X-Yandex-Fwd":"1","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru;\n s=default; t=1695759355;\n bh=jAvh0KaFeV113hpG3Sjju5klfyFefoMWGI2I5yIG3zw=;\n h=Message-Id:Date:In-Reply-To:Cc:Subject:References:To:From;\n b=g8iwTxPXVsH+ai1czxf9XXDj3gEIKGHKy+as3DnaI+14TWFvh5XYwQwTjOfBVLJ3x\n DxJJGK7z76tqu0LRnIJ5ltAltPSfjKC/LPFbjT8paPuQBwULvMf//S71iB3MBsEGtl\n u0tsYvaPwGNByi82wHIj6cIeeNqhId/CxWBzU2/s=","From":"Vladimir Sementsov-Ogievskiy ","To":"qemu-devel@nongnu.org","Cc":"pbonzini@redhat.com, vsementsov@yandex-team.ru, peter.maydell@linaro.org,\n yc-core@yandex-team.ru, davydov-max@yandex-team.ru,\n \"Michael S. Tsirkin\" , Peter Xu ,\n Jason Wang ,\n Marcel Apfelbaum ,\n Richard Henderson ,\n Eduardo Habkost ","Subject":"[PATCH v2 1/8] hw/i386/intel_iommu: vtd_slpte_nonzero_rsvd(): assert\n no overflow","Date":"Tue, 26 Sep 2023 23:15:25 +0300","Message-Id":"<20230926201532.221152-2-vsementsov@yandex-team.ru>","X-Mailer":"git-send-email 2.34.1","In-Reply-To":"<20230926201532.221152-1-vsementsov@yandex-team.ru>","References":"<20230926201532.221152-1-vsementsov@yandex-team.ru>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=178.154.239.200;\n envelope-from=vsementsov@yandex-team.ru; helo=forwardcorp1c.mail.yandex.net","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"We support only 3- and 4-level page-tables, which is firstly checked in\nvtd_decide_config(), then setup in vtd_init(). Than level fields are\nchecked by vtd_is_level_supported().\n\nSo here we can't have level out from 1..4 inclusive range. Let's assert\nit. That also explains Coverity that we are not going to overflow the\narray.\n\nCID: 1487158, 1487186\nSigned-off-by: Vladimir Sementsov-Ogievskiy \n---\n hw/i386/intel_iommu.c | 23 ++++++++++++++++++++---\n 1 file changed, 20 insertions(+), 3 deletions(-)","diff":"diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c\nindex c0ce896668..3b68183b78 100644\n--- a/hw/i386/intel_iommu.c\n+++ b/hw/i386/intel_iommu.c\n@@ -1027,18 +1027,35 @@ static dma_addr_t vtd_get_iova_pgtbl_base(IntelIOMMUState *s,\n * Rsvd field masks for spte:\n * vtd_spte_rsvd 4k pages\n * vtd_spte_rsvd_large large pages\n+ *\n+ * We support only 3-level and 4-level page tables (see vtd_init() which\n+ * sets only VTD_CAP_SAGAW_39bit and maybe VTD_CAP_SAGAW_48bit bits in s->cap).\n */\n-static uint64_t vtd_spte_rsvd[5];\n-static uint64_t vtd_spte_rsvd_large[5];\n+#define VTD_SPTE_RSVD_LEN 5\n+static uint64_t vtd_spte_rsvd[VTD_SPTE_RSVD_LEN];\n+static uint64_t vtd_spte_rsvd_large[VTD_SPTE_RSVD_LEN];\n \n static bool vtd_slpte_nonzero_rsvd(uint64_t slpte, uint32_t level)\n {\n- uint64_t rsvd_mask = vtd_spte_rsvd[level];\n+ uint64_t rsvd_mask;\n+\n+ /*\n+ * We should have caught a guest-mis-programmed level earlier,\n+ * via vtd_is_level_supported.\n+ */\n+ assert(level < VTD_SPTE_RSVD_LEN);\n+ /*\n+ * Zero level doesn't exist. The smallest level is VTD_SL_PT_LEVEL=1 and\n+ * checked by vtd_is_last_slpte().\n+ */\n+ assert(level);\n \n if ((level == VTD_SL_PD_LEVEL || level == VTD_SL_PDP_LEVEL) &&\n (slpte & VTD_SL_PT_PAGE_SIZE_MASK)) {\n /* large page */\n rsvd_mask = vtd_spte_rsvd_large[level];\n+ } else {\n+ rsvd_mask = vtd_spte_rsvd[level];\n }\n \n return slpte & rsvd_mask;\n","prefixes":["v2","1/8"]}