From: GuoHan Zhao <[email protected]> check_pgsizes() validates that no page-size bits smaller than VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a malformed server overwrite the default page-size mask with zero.
Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device realization aborts instead of reporting a version capability error. Reject a zero DMA page-size mask during version capability parsing. Fixes: 36227628d824 (vfio-user: implement message send infrastructure) Signed-off-by: GuoHan Zhao <[email protected]> Reviewed-by: John Levon <[email protected]> Link: https://lore.kernel.org/qemu-devel/[email protected] Signed-off-by: Cédric Le Goater <[email protected]> --- hw/vfio-user/proxy.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c index e02a45e9972ba7b13a1eba190df20b24deafed61..be2601d5ecc496af8951179ac4da211f89a008a3 100644 --- a/hw/vfio-user/proxy.c +++ b/hw/vfio-user/proxy.c @@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, QObject *qobj, Error **errp) return false; } - /* must be larger than default */ - if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) { - error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes); + /* must not be zero or smaller than default */ + if (pgsizes < VFIO_USER_DEF_PGSIZE || + (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) { + error_setg(errp, "%s 0x%"PRIx64" too small", + VFIO_USER_CAP_PGSIZES, pgsizes); return false; } -- 2.54.0
