memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.

This is what devices seem to assume.

However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.

Naturally, this breaks a bunch of devices.

Revert to the documented behaviour.

Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.

Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd ("memory: accept mismatching sizes in memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200610134731.1514409-1-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Michael S. Tsirkin 2020-06-10 09:47:49 -04:00 committed by Paolo Bonzini
parent 4b7c06837a
commit 5d971f9e67

View File

@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
bool is_write, bool is_write,
MemTxAttrs attrs) MemTxAttrs attrs)
{ {
int access_size_min, access_size_max; if (mr->ops->valid.accepts
int access_size, i; && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
return false;
}
if (!mr->ops->valid.unaligned && (addr & (size - 1))) { if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
return false; return false;
} }
if (!mr->ops->valid.accepts) { /* Treat zero as compatibility all valid */
if (!mr->ops->valid.max_access_size) {
return true; return true;
} }
access_size_min = mr->ops->valid.min_access_size; if (size > mr->ops->valid.max_access_size
if (!mr->ops->valid.min_access_size) { || size < mr->ops->valid.min_access_size) {
access_size_min = 1;
}
access_size_max = mr->ops->valid.max_access_size;
if (!mr->ops->valid.max_access_size) {
access_size_max = 4;
}
access_size = MAX(MIN(size, access_size_max), access_size_min);
for (i = 0; i < size; i += access_size) {
if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
is_write, attrs)) {
return false; return false;
} }
}
return true; return true;
} }