mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unify len and addr type for memory/address APIs

Browse Source 
Some address/memory APIs have different type between
'hwaddr/target_ulong addr' and 'int len'. It is very unsafe, especially
some APIs will be passed a non-int len by caller which might cause
overflow quietly.
Below is an potential overflow case:
    dma_memory_read(uint32_t len)
      -> dma_memory_rw(uint32_t len)
        -> dma_memory_rw_relaxed(uint32_t len)
          -> address_space_rw(int len) # len overflow

CC: Paolo Bonzini <pbonzini@redhat.com>
CC: Peter Crosthwaite <crosthwaite.peter@gmail.com>
CC: Richard Henderson <rth@twiddle.net>
CC: Peter Maydell <peter.maydell@linaro.org>
CC: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Li Zhijian 2019-01-17 20:49:01 +08:00 committed by Paolo Bonzini
parent b86d01ba47
commit 0c249ff71c
4 changed files with 39 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
exec.c
View File

@ -2851,10 +2851,10 @@ static const MemoryRegionOps watch_mem_ops = {
}; };
static MemTxResult flatview_read(FlatView *fv, hwaddr addr, static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, int len); MemTxAttrs attrs, uint8_t *buf, hwaddr len);
static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
const uint8_t *buf, int len); const uint8_t *buf, hwaddr len);
static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, static bool flatview_access_valid(FlatView *fv, hwaddr addr, hwaddr len,
bool is_write, MemTxAttrs attrs); bool is_write, MemTxAttrs attrs);
static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data, static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data,
@ -3102,10 +3102,10 @@ MemoryRegion *get_system_io(void)
/* physical memory access (slow version, mainly for debug) */ /* physical memory access (slow version, mainly for debug) */
#if defined(CONFIG_USER_ONLY) #if defined(CONFIG_USER_ONLY)
int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
uint8_t *buf, int len, int is_write) uint8_t *buf, target_ulong len, int is_write)
{ {
int l, flags; int flags;
target_ulong page; target_ulong l, page;
void * p; void * p;
while (len > 0) { while (len > 0) {
@ -3231,7 +3231,7 @@ static bool prepare_mmio_access(MemoryRegion *mr)
static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
MemTxAttrs attrs, MemTxAttrs attrs,
const uint8_t *buf, const uint8_t *buf,
int len, hwaddr addr1, hwaddr len, hwaddr addr1,
hwaddr l, MemoryRegion *mr) hwaddr l, MemoryRegion *mr)
{ {
uint8_t *ptr; uint8_t *ptr;
@ -3276,7 +3276,7 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
/* Called from RCU critical section. */ /* Called from RCU critical section. */
static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
const uint8_t *buf, int len) const uint8_t *buf, hwaddr len)
{ {
hwaddr l; hwaddr l;
hwaddr addr1; hwaddr addr1;
@ -3294,7 +3294,7 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
/* Called within RCU critical section. */ /* Called within RCU critical section. */
MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, MemTxAttrs attrs, uint8_t *buf,
int len, hwaddr addr1, hwaddr l, hwaddr len, hwaddr addr1, hwaddr l,
MemoryRegion *mr) MemoryRegion *mr)
{ {
uint8_t *ptr; uint8_t *ptr;
@ -3337,7 +3337,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
/* Called from RCU critical section. */ /* Called from RCU critical section. */
static MemTxResult flatview_read(FlatView *fv, hwaddr addr, static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, int len) MemTxAttrs attrs, uint8_t *buf, hwaddr len)
{ {
hwaddr l; hwaddr l;
hwaddr addr1; hwaddr addr1;
@ -3350,7 +3350,7 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
} }
MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, int len) MemTxAttrs attrs, uint8_t *buf, hwaddr len)
{ {
MemTxResult result = MEMTX_OK; MemTxResult result = MEMTX_OK;
FlatView *fv; FlatView *fv;
@ -3367,7 +3367,7 @@ MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr,
MemTxResult address_space_write(AddressSpace *as, hwaddr addr, MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, MemTxAttrs attrs,
const uint8_t *buf, int len) const uint8_t *buf, hwaddr len)
{ {
MemTxResult result = MEMTX_OK; MemTxResult result = MEMTX_OK;
FlatView *fv; FlatView *fv;
@ -3383,7 +3383,7 @@ MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
} }
MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
uint8_t *buf, int len, bool is_write) uint8_t *buf, hwaddr len, bool is_write)
{ {
if (is_write) { if (is_write) {
return address_space_write(as, addr, attrs, buf, len); return address_space_write(as, addr, attrs, buf, len);
@ -3393,7 +3393,7 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
} }
void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf, void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf,
int len, int is_write) hwaddr len, int is_write)
{ {
address_space_rw(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED, address_space_rw(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED,
buf, len, is_write); buf, len, is_write);
@ -3408,7 +3408,7 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as,
hwaddr addr, hwaddr addr,
MemTxAttrs attrs, MemTxAttrs attrs,
const uint8_t *buf, const uint8_t *buf,
int len, hwaddr len,
enum write_rom_type type) enum write_rom_type type)
{ {
hwaddr l; hwaddr l;
@ -3448,13 +3448,13 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as,
/* used for ROM loading : can write in RAM and ROM */ /* used for ROM loading : can write in RAM and ROM */
MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr, MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, MemTxAttrs attrs,
const uint8_t *buf, int len) const uint8_t *buf, hwaddr len)
{ {
return address_space_write_rom_internal(as, addr, attrs, return address_space_write_rom_internal(as, addr, attrs,
buf, len, WRITE_DATA); buf, len, WRITE_DATA);
} }
void cpu_flush_icache_range(hwaddr start, int len) void cpu_flush_icache_range(hwaddr start, hwaddr len)
{ {
/* /*
* This function should do the same thing as an icache flush that was * This function should do the same thing as an icache flush that was
@ -3557,7 +3557,7 @@ static void cpu_notify_map_clients(void)
qemu_mutex_unlock(&map_client_list_lock); qemu_mutex_unlock(&map_client_list_lock);
} }
static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, static bool flatview_access_valid(FlatView *fv, hwaddr addr, hwaddr len,
bool is_write, MemTxAttrs attrs) bool is_write, MemTxAttrs attrs)
{ {
MemoryRegion *mr; MemoryRegion *mr;
@ -3580,7 +3580,7 @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
} }
bool address_space_access_valid(AddressSpace *as, hwaddr addr, bool address_space_access_valid(AddressSpace *as, hwaddr addr,
int len, bool is_write, hwaddr len, bool is_write,
MemTxAttrs attrs) MemTxAttrs attrs)
{ {
FlatView *fv; FlatView *fv;
@ -3833,7 +3833,7 @@ static inline MemoryRegion *address_space_translate_cached(
*/ */
void void
address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr, address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
void *buf, int len) void *buf, hwaddr len)
{ {
hwaddr addr1, l; hwaddr addr1, l;
MemoryRegion *mr; MemoryRegion *mr;
@ -3851,7 +3851,7 @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
*/ */
void void
address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr, address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
const void *buf, int len) const void *buf, hwaddr len)
{ {
hwaddr addr1, l; hwaddr addr1, l;
MemoryRegion *mr; MemoryRegion *mr;
@ -3874,11 +3874,10 @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
/* virtual memory access for debug (includes writing to ROM) */ /* virtual memory access for debug (includes writing to ROM) */
int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
uint8_t *buf, int len, int is_write) uint8_t *buf, target_ulong len, int is_write)
{ {
int l;
hwaddr phys_addr; hwaddr phys_addr;
target_ulong page; target_ulong l, page;
cpu_synchronize_state(cpu); cpu_synchronize_state(cpu);
while (len > 0) { while (len > 0) {

2
include/exec/cpu-all.h
View File

@ -367,7 +367,7 @@ void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf);
#endif /* !CONFIG_USER_ONLY */ #endif /* !CONFIG_USER_ONLY */
int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
uint8_t *buf, int len, int is_write); uint8_t *buf, target_ulong len, int is_write);
int cpu_exec(CPUState *cpu); int cpu_exec(CPUState *cpu);

8
include/exec/cpu-common.h
View File

@ -83,14 +83,14 @@ size_t qemu_ram_pagesize(RAMBlock *block);
size_t qemu_ram_pagesize_largest(void); size_t qemu_ram_pagesize_largest(void);
void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf, void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf,
int len, int is_write); hwaddr len, int is_write);
static inline void cpu_physical_memory_read(hwaddr addr, static inline void cpu_physical_memory_read(hwaddr addr,
void *buf, int len) void *buf, hwaddr len)
{ {
cpu_physical_memory_rw(addr, buf, len, 0); cpu_physical_memory_rw(addr, buf, len, 0);
} }
static inline void cpu_physical_memory_write(hwaddr addr, static inline void cpu_physical_memory_write(hwaddr addr,
const void *buf, int len) const void *buf, hwaddr len)
{ {
cpu_physical_memory_rw(addr, (void *)buf, len, 1); cpu_physical_memory_rw(addr, (void *)buf, len, 1);
} }
@ -111,7 +111,7 @@ bool cpu_physical_memory_is_io(hwaddr phys_addr);
*/ */
void qemu_flush_coalesced_mmio_buffer(void); void qemu_flush_coalesced_mmio_buffer(void);
void cpu_flush_icache_range(hwaddr start, int len); void cpu_flush_icache_range(hwaddr start, hwaddr len);
extern struct MemoryRegion io_mem_rom; extern struct MemoryRegion io_mem_rom;
extern struct MemoryRegion io_mem_notdirty; extern struct MemoryRegion io_mem_notdirty;

22
include/exec/memory.h
View File

@ -1791,7 +1791,7 @@ void address_space_destroy(AddressSpace *as);
*/ */
MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxResult address_space_rw(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, MemTxAttrs attrs, uint8_t *buf,
int len, bool is_write); hwaddr len, bool is_write);
/** /**
* address_space_write: write to address space. * address_space_write: write to address space.
@ -1808,7 +1808,7 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr addr,
*/ */
MemTxResult address_space_write(AddressSpace *as, hwaddr addr, MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, MemTxAttrs attrs,
const uint8_t *buf, int len); const uint8_t *buf, hwaddr len);
/** /**
* address_space_write_rom: write to address space, including ROM. * address_space_write_rom: write to address space, including ROM.
@ -1834,7 +1834,7 @@ MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
*/ */
MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr, MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, MemTxAttrs attrs,
const uint8_t *buf, int len); const uint8_t *buf, hwaddr len);
/* address_space_ld*: load from an address space /* address_space_ld*: load from an address space
* address_space_st*: store to an address space * address_space_st*: store to an address space
@ -2035,7 +2035,7 @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
* @is_write: indicates the transfer direction * @is_write: indicates the transfer direction
* @attrs: memory attributes * @attrs: memory attributes
*/ */
bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
bool is_write, MemTxAttrs attrs); bool is_write, MemTxAttrs attrs);
/* address_space_map: map a physical memory region into a host virtual address /* address_space_map: map a physical memory region into a host virtual address
@ -2072,19 +2072,19 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
/* Internal functions, part of the implementation of address_space_read. */ /* Internal functions, part of the implementation of address_space_read. */
MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, int len); MemTxAttrs attrs, uint8_t *buf, hwaddr len);
MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, MemTxAttrs attrs, uint8_t *buf,
int len, hwaddr addr1, hwaddr l, hwaddr len, hwaddr addr1, hwaddr l,
MemoryRegion *mr); MemoryRegion *mr);
void *qemu_map_ram_ptr(RAMBlock *ram_block, ram_addr_t addr); void *qemu_map_ram_ptr(RAMBlock *ram_block, ram_addr_t addr);
/* Internal functions, part of the implementation of address_space_read_cached /* Internal functions, part of the implementation of address_space_read_cached
* and address_space_write_cached. */ * and address_space_write_cached. */
void address_space_read_cached_slow(MemoryRegionCache *cache, void address_space_read_cached_slow(MemoryRegionCache *cache,
hwaddr addr, void *buf, int len); hwaddr addr, void *buf, hwaddr len);
void address_space_write_cached_slow(MemoryRegionCache *cache, void address_space_write_cached_slow(MemoryRegionCache *cache,
hwaddr addr, const void *buf, int len); hwaddr addr, const void *buf, hwaddr len);
static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write) static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
{ {
@ -2112,7 +2112,7 @@ static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
static inline __attribute__((__always_inline__)) static inline __attribute__((__always_inline__))
MemTxResult address_space_read(AddressSpace *as, hwaddr addr, MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs, uint8_t *buf, MemTxAttrs attrs, uint8_t *buf,
int len) hwaddr len)
{ {
MemTxResult result = MEMTX_OK; MemTxResult result = MEMTX_OK;
hwaddr l, addr1; hwaddr l, addr1;
@ -2151,7 +2151,7 @@ MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
*/ */
static inline void static inline void
address_space_read_cached(MemoryRegionCache *cache, hwaddr addr, address_space_read_cached(MemoryRegionCache *cache, hwaddr addr,
void *buf, int len) void *buf, hwaddr len)
{ {
assert(addr < cache->len && len <= cache->len - addr); assert(addr < cache->len && len <= cache->len - addr);
if (likely(cache->ptr)) { if (likely(cache->ptr)) {
@ -2171,7 +2171,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr,
*/ */
static inline void static inline void
address_space_write_cached(MemoryRegionCache *cache, hwaddr addr, address_space_write_cached(MemoryRegionCache *cache, hwaddr addr,
void *buf, int len) void *buf, hwaddr len)
{ {
assert(addr < cache->len && len <= cache->len - addr); assert(addr < cache->len && len <= cache->len - addr);
if (likely(cache->ptr)) { if (likely(cache->ptr)) {