jcs.org / qemu
qemu with hax to log dma reads & writes jcs.org/2018/11/12/vfio
fork atom

Stop vhost-user sending uninitialized mmap_offsets

Prior to this change, the vhost_user_fill_msg_region function filled out
all elements of the VhostUserMemoryRegion struct except the mmap_offset.

This function is often called on uninitialized structs, which are then
copied into VHOST_USER_SET_MEM_TABLE and VHOST_USER_ADD/REM_MEM_REG
messages. In some cases, where the mmap_offset was not needed, it was
left uninitialized, causing QEMU to send the backend uninitialized data,
which Coverity flagged as a series of issues.

This change augments the vhost_user_fill_msg_region API, adding a
mmap_offset paramenter, forcing the caller to initialize mmap_offset.

Fixes: ece99091c2d0aeb23734289a50ef2ff4e0a08929
Fixes: f1aeb14b0809e313c74244d838645ed25e85ea63
Reported-by: Coverity (CIDs 1429802, 1429803 and 1429804)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Message-Id: <1592650156-25845-1-git-send-email-raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

authored by

Raphael Norwitz and committed by
Michael S. Tsirkin 8d193715 56172c4c

+6 -6
+6 -6
hw/virtio/vhost-user.c
··· 460 460 } 461 461 462 462 static void vhost_user_fill_msg_region(VhostUserMemoryRegion *dst, 463 - struct vhost_memory_region *src) 463 + struct vhost_memory_region *src, 464 + uint64_t mmap_offset) 464 465 { 465 466 assert(src != NULL && dst != NULL); 466 467 dst->userspace_addr = src->userspace_addr; 467 468 dst->memory_size = src->memory_size; 468 469 dst->guest_phys_addr = src->guest_phys_addr; 470 + dst->mmap_offset = mmap_offset; 469 471 } 470 472 471 473 static int vhost_user_fill_set_mem_table_msg(struct vhost_user *u, ··· 500 502 error_report("Failed preparing vhost-user memory table msg"); 501 503 return -1; 502 504 } 503 - vhost_user_fill_msg_region(&region_buffer, reg); 505 + vhost_user_fill_msg_region(&region_buffer, reg, offset); 504 506 msg->payload.memory.regions[*fd_num] = region_buffer; 505 - msg->payload.memory.regions[*fd_num].mmap_offset = offset; 506 507 fds[(*fd_num)++] = fd; 507 508 } else if (track_ramblocks) { 508 509 u->region_rb_offset[i] = 0; ··· 649 650 650 651 if (fd > 0) { 651 652 msg->hdr.request = VHOST_USER_REM_MEM_REG; 652 - vhost_user_fill_msg_region(&region_buffer, shadow_reg); 653 + vhost_user_fill_msg_region(&region_buffer, shadow_reg, 0); 653 654 msg->payload.mem_reg.region = region_buffer; 654 655 655 656 if (vhost_user_write(dev, msg, &fd, 1) < 0) { ··· 709 710 u->region_rb[reg_idx] = mr->ram_block; 710 711 } 711 712 msg->hdr.request = VHOST_USER_ADD_MEM_REG; 712 - vhost_user_fill_msg_region(&region_buffer, reg); 713 + vhost_user_fill_msg_region(&region_buffer, reg, offset); 713 714 msg->payload.mem_reg.region = region_buffer; 714 - msg->payload.mem_reg.region.mmap_offset = offset; 715 715 716 716 if (vhost_user_write(dev, msg, &fd, 1) < 0) { 717 717 return -1;