On Fri, May 22, 2026 at 04:13:05PM +0800, [email protected] wrote: > check_pgsizes() validates that no page-size bits smaller than > VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a > malformed server overwrite the default page-size mask with zero. > > Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device > realization aborts instead of reporting a version capability error. Reject a > zero DMA page-size mask during version capability parsing. > > Fixes: 36227628d824 (vfio-user: implement message send infrastructure) > Signed-off-by: GuoHan Zhao <[email protected]> > --- > hw/vfio-user/proxy.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c > index 8b7cc36231ab..7c3036ec83c5 100644 > --- a/hw/vfio-user/proxy.c > +++ b/hw/vfio-user/proxy.c > @@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, > QObject *qobj, Error **errp) > return false; > } > > - /* must be larger than default */ > - if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) { > - error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes); > + /* must not be zero or smaller than default */ > + if (pgsizes < VFIO_USER_DEF_PGSIZE || > + (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) { > + error_setg(errp, "%s 0x%"PRIx64" too small", > + VFIO_USER_CAP_PGSIZES, pgsizes); > return false; > } >
Reviewed-by: John Levon <[email protected]>
