mirror of
https://github.com/xemu-project/xemu.git
synced 2024-11-24 12:09:58 +00:00
7157e2e23e
The virtio_queue_notify() function checks that the virtqueue number is less than the maximum number of virtqueues. A signed comparison is used but the virtqueue number could be negative if a buggy or malicious guest is run. This results in memory accesses outside of the virtqueue array. It is risky doing input validation in common code instead of at the guest<->host boundary. Note that virtio_queue_set_addr(), virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio functions do *not* validate the virtqueue number argument. Instead of fixing the comparison in virtio_queue_notify(), move the comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where we have a uint32_t value and can avoid ever calling into common virtio code if the virtqueue number is invalid. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
316 lines
9.5 KiB
C
316 lines
9.5 KiB
C
/*
|
|
* Virtio Syborg bindings
|
|
*
|
|
* Copyright (c) 2009 CodeSourcery
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
* THE SOFTWARE.
|
|
*/
|
|
|
|
#include "syborg.h"
|
|
#include "sysbus.h"
|
|
#include "virtio.h"
|
|
#include "virtio-net.h"
|
|
|
|
//#define DEBUG_SYBORG_VIRTIO
|
|
|
|
#ifdef DEBUG_SYBORG_VIRTIO
|
|
#define DPRINTF(fmt, ...) \
|
|
do { printf("syborg_virtio: " fmt , ## __VA_ARGS__); } while (0)
|
|
#define BADF(fmt, ...) \
|
|
do { fprintf(stderr, "syborg_virtio: error: " fmt , ## __VA_ARGS__); \
|
|
exit(1);} while (0)
|
|
#else
|
|
#define DPRINTF(fmt, ...) do {} while(0)
|
|
#define BADF(fmt, ...) \
|
|
do { fprintf(stderr, "syborg_virtio: error: " fmt , ## __VA_ARGS__);} while (0)
|
|
#endif
|
|
|
|
enum {
|
|
SYBORG_VIRTIO_ID = 0,
|
|
SYBORG_VIRTIO_DEVTYPE = 1,
|
|
SYBORG_VIRTIO_HOST_FEATURES = 2,
|
|
SYBORG_VIRTIO_GUEST_FEATURES = 3,
|
|
SYBORG_VIRTIO_QUEUE_BASE = 4,
|
|
SYBORG_VIRTIO_QUEUE_NUM = 5,
|
|
SYBORG_VIRTIO_QUEUE_SEL = 6,
|
|
SYBORG_VIRTIO_QUEUE_NOTIFY = 7,
|
|
SYBORG_VIRTIO_STATUS = 8,
|
|
SYBORG_VIRTIO_INT_ENABLE = 9,
|
|
SYBORG_VIRTIO_INT_STATUS = 10
|
|
};
|
|
|
|
#define SYBORG_VIRTIO_CONFIG 0x100
|
|
|
|
/* Device independent interface. */
|
|
|
|
typedef struct {
|
|
SysBusDevice busdev;
|
|
VirtIODevice *vdev;
|
|
qemu_irq irq;
|
|
uint32_t int_enable;
|
|
uint32_t id;
|
|
NICConf nic;
|
|
uint32_t host_features;
|
|
virtio_net_conf net;
|
|
} SyborgVirtIOProxy;
|
|
|
|
static uint32_t syborg_virtio_readl(void *opaque, target_phys_addr_t offset)
|
|
{
|
|
SyborgVirtIOProxy *s = opaque;
|
|
VirtIODevice *vdev = s->vdev;
|
|
uint32_t ret;
|
|
|
|
DPRINTF("readl 0x%x\n", (int)offset);
|
|
if (offset >= SYBORG_VIRTIO_CONFIG) {
|
|
return virtio_config_readl(vdev, offset - SYBORG_VIRTIO_CONFIG);
|
|
}
|
|
switch(offset >> 2) {
|
|
case SYBORG_VIRTIO_ID:
|
|
ret = SYBORG_ID_VIRTIO;
|
|
break;
|
|
case SYBORG_VIRTIO_DEVTYPE:
|
|
ret = s->id;
|
|
break;
|
|
case SYBORG_VIRTIO_HOST_FEATURES:
|
|
ret = s->host_features;
|
|
break;
|
|
case SYBORG_VIRTIO_GUEST_FEATURES:
|
|
ret = vdev->guest_features;
|
|
break;
|
|
case SYBORG_VIRTIO_QUEUE_BASE:
|
|
ret = virtio_queue_get_addr(vdev, vdev->queue_sel);
|
|
break;
|
|
case SYBORG_VIRTIO_QUEUE_NUM:
|
|
ret = virtio_queue_get_num(vdev, vdev->queue_sel);
|
|
break;
|
|
case SYBORG_VIRTIO_QUEUE_SEL:
|
|
ret = vdev->queue_sel;
|
|
break;
|
|
case SYBORG_VIRTIO_STATUS:
|
|
ret = vdev->status;
|
|
break;
|
|
case SYBORG_VIRTIO_INT_ENABLE:
|
|
ret = s->int_enable;
|
|
break;
|
|
case SYBORG_VIRTIO_INT_STATUS:
|
|
ret = vdev->isr;
|
|
break;
|
|
default:
|
|
BADF("Bad read offset 0x%x\n", (int)offset);
|
|
return 0;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static void syborg_virtio_writel(void *opaque, target_phys_addr_t offset,
|
|
uint32_t value)
|
|
{
|
|
SyborgVirtIOProxy *s = opaque;
|
|
VirtIODevice *vdev = s->vdev;
|
|
|
|
DPRINTF("writel 0x%x = 0x%x\n", (int)offset, value);
|
|
if (offset >= SYBORG_VIRTIO_CONFIG) {
|
|
return virtio_config_writel(vdev, offset - SYBORG_VIRTIO_CONFIG,
|
|
value);
|
|
}
|
|
switch (offset >> 2) {
|
|
case SYBORG_VIRTIO_GUEST_FEATURES:
|
|
if (vdev->set_features)
|
|
vdev->set_features(vdev, value);
|
|
vdev->guest_features = value;
|
|
break;
|
|
case SYBORG_VIRTIO_QUEUE_BASE:
|
|
if (value == 0)
|
|
virtio_reset(vdev);
|
|
else
|
|
virtio_queue_set_addr(vdev, vdev->queue_sel, value);
|
|
break;
|
|
case SYBORG_VIRTIO_QUEUE_SEL:
|
|
if (value < VIRTIO_PCI_QUEUE_MAX)
|
|
vdev->queue_sel = value;
|
|
break;
|
|
case SYBORG_VIRTIO_QUEUE_NOTIFY:
|
|
if (value < VIRTIO_PCI_QUEUE_MAX) {
|
|
virtio_queue_notify(vdev, value);
|
|
}
|
|
break;
|
|
case SYBORG_VIRTIO_STATUS:
|
|
virtio_set_status(vdev, value & 0xFF);
|
|
if (vdev->status == 0)
|
|
virtio_reset(vdev);
|
|
break;
|
|
case SYBORG_VIRTIO_INT_ENABLE:
|
|
s->int_enable = value;
|
|
virtio_update_irq(vdev);
|
|
break;
|
|
case SYBORG_VIRTIO_INT_STATUS:
|
|
vdev->isr &= ~value;
|
|
virtio_update_irq(vdev);
|
|
break;
|
|
default:
|
|
BADF("Bad write offset 0x%x\n", (int)offset);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static uint32_t syborg_virtio_readw(void *opaque, target_phys_addr_t offset)
|
|
{
|
|
SyborgVirtIOProxy *s = opaque;
|
|
VirtIODevice *vdev = s->vdev;
|
|
|
|
DPRINTF("readw 0x%x\n", (int)offset);
|
|
if (offset >= SYBORG_VIRTIO_CONFIG) {
|
|
return virtio_config_readw(vdev, offset - SYBORG_VIRTIO_CONFIG);
|
|
}
|
|
BADF("Bad halfword read offset 0x%x\n", (int)offset);
|
|
return -1;
|
|
}
|
|
|
|
static void syborg_virtio_writew(void *opaque, target_phys_addr_t offset,
|
|
uint32_t value)
|
|
{
|
|
SyborgVirtIOProxy *s = opaque;
|
|
VirtIODevice *vdev = s->vdev;
|
|
|
|
DPRINTF("writew 0x%x = 0x%x\n", (int)offset, value);
|
|
if (offset >= SYBORG_VIRTIO_CONFIG) {
|
|
return virtio_config_writew(vdev, offset - SYBORG_VIRTIO_CONFIG,
|
|
value);
|
|
}
|
|
BADF("Bad halfword write offset 0x%x\n", (int)offset);
|
|
}
|
|
|
|
static uint32_t syborg_virtio_readb(void *opaque, target_phys_addr_t offset)
|
|
{
|
|
SyborgVirtIOProxy *s = opaque;
|
|
VirtIODevice *vdev = s->vdev;
|
|
|
|
DPRINTF("readb 0x%x\n", (int)offset);
|
|
if (offset >= SYBORG_VIRTIO_CONFIG) {
|
|
return virtio_config_readb(vdev, offset - SYBORG_VIRTIO_CONFIG);
|
|
}
|
|
BADF("Bad byte read offset 0x%x\n", (int)offset);
|
|
return -1;
|
|
}
|
|
|
|
static void syborg_virtio_writeb(void *opaque, target_phys_addr_t offset,
|
|
uint32_t value)
|
|
{
|
|
SyborgVirtIOProxy *s = opaque;
|
|
VirtIODevice *vdev = s->vdev;
|
|
|
|
DPRINTF("writeb 0x%x = 0x%x\n", (int)offset, value);
|
|
if (offset >= SYBORG_VIRTIO_CONFIG) {
|
|
return virtio_config_writeb(vdev, offset - SYBORG_VIRTIO_CONFIG,
|
|
value);
|
|
}
|
|
BADF("Bad byte write offset 0x%x\n", (int)offset);
|
|
}
|
|
|
|
static CPUReadMemoryFunc * const syborg_virtio_readfn[] = {
|
|
syborg_virtio_readb,
|
|
syborg_virtio_readw,
|
|
syborg_virtio_readl
|
|
};
|
|
|
|
static CPUWriteMemoryFunc * const syborg_virtio_writefn[] = {
|
|
syborg_virtio_writeb,
|
|
syborg_virtio_writew,
|
|
syborg_virtio_writel
|
|
};
|
|
|
|
static void syborg_virtio_update_irq(void *opaque, uint16_t vector)
|
|
{
|
|
SyborgVirtIOProxy *proxy = opaque;
|
|
int level;
|
|
|
|
level = proxy->int_enable & proxy->vdev->isr;
|
|
DPRINTF("IRQ %d\n", level);
|
|
qemu_set_irq(proxy->irq, level != 0);
|
|
}
|
|
|
|
static unsigned syborg_virtio_get_features(void *opaque)
|
|
{
|
|
SyborgVirtIOProxy *proxy = opaque;
|
|
return proxy->host_features;
|
|
}
|
|
|
|
static VirtIOBindings syborg_virtio_bindings = {
|
|
.notify = syborg_virtio_update_irq,
|
|
.get_features = syborg_virtio_get_features,
|
|
};
|
|
|
|
static int syborg_virtio_init(SyborgVirtIOProxy *proxy, VirtIODevice *vdev)
|
|
{
|
|
int iomemtype;
|
|
|
|
proxy->vdev = vdev;
|
|
|
|
/* Don't support multiple vectors */
|
|
proxy->vdev->nvectors = 0;
|
|
sysbus_init_irq(&proxy->busdev, &proxy->irq);
|
|
iomemtype = cpu_register_io_memory(syborg_virtio_readfn,
|
|
syborg_virtio_writefn, proxy,
|
|
DEVICE_NATIVE_ENDIAN);
|
|
sysbus_init_mmio(&proxy->busdev, 0x1000, iomemtype);
|
|
|
|
proxy->id = ((uint32_t)0x1af4 << 16) | vdev->device_id;
|
|
|
|
qemu_register_reset(virtio_reset, vdev);
|
|
|
|
virtio_bind_device(vdev, &syborg_virtio_bindings, proxy);
|
|
proxy->host_features |= (0x1 << VIRTIO_F_NOTIFY_ON_EMPTY);
|
|
proxy->host_features = vdev->get_features(vdev, proxy->host_features);
|
|
return 0;
|
|
}
|
|
|
|
/* Device specific bindings. */
|
|
|
|
static int syborg_virtio_net_init(SysBusDevice *dev)
|
|
{
|
|
VirtIODevice *vdev;
|
|
SyborgVirtIOProxy *proxy = FROM_SYSBUS(SyborgVirtIOProxy, dev);
|
|
|
|
vdev = virtio_net_init(&dev->qdev, &proxy->nic, &proxy->net);
|
|
return syborg_virtio_init(proxy, vdev);
|
|
}
|
|
|
|
static SysBusDeviceInfo syborg_virtio_net_info = {
|
|
.init = syborg_virtio_net_init,
|
|
.qdev.name = "syborg,virtio-net",
|
|
.qdev.size = sizeof(SyborgVirtIOProxy),
|
|
.qdev.props = (Property[]) {
|
|
DEFINE_NIC_PROPERTIES(SyborgVirtIOProxy, nic),
|
|
DEFINE_VIRTIO_NET_FEATURES(SyborgVirtIOProxy, host_features),
|
|
DEFINE_PROP_UINT32("x-txtimer", SyborgVirtIOProxy,
|
|
net.txtimer, TX_TIMER_INTERVAL),
|
|
DEFINE_PROP_INT32("x-txburst", SyborgVirtIOProxy,
|
|
net.txburst, TX_BURST),
|
|
DEFINE_PROP_STRING("tx", SyborgVirtIOProxy, net.tx),
|
|
DEFINE_PROP_END_OF_LIST(),
|
|
}
|
|
};
|
|
|
|
static void syborg_virtio_register_devices(void)
|
|
{
|
|
sysbus_register_withprop(&syborg_virtio_net_info);
|
|
}
|
|
|
|
device_init(syborg_virtio_register_devices)
|