On Mon, Jul 13, 2015 at 01:46:47PM +0800, Jason Wang wrote: > We abort on unaligned read/write in > virtio_address_space_read()/write() but since len in under control of > guest so qemu will simply crash when booting a modern guest (guest is > try to read when len is zero). > read.
How can len be 0? Isn't this a guest bug? Or is this a theoretical issue? > Fix this by ignoring unaligned write or > > Fixes 1e40356ce5f6ccfa0bb57104a533c62952c560ce > ("virtio fix cfg endian-ness for BE targets") > Signed-off-by: Jason Wang <jasow...@redhat.com> I guess since we ignore some illegal values (e.g. > 4) we should just whitelist the legal ones. So the following looks like a slightly cleaner way to make this change. ---> virtio-pci: don't crash on illegal length Some guests seem to access cfg with an illegal length value. It's worth fixing them but debugging is easier if qemu does not crash. Signed-off-by: Michael S. Tsirkin <m...@redhat.com> diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c index 6ca0258..c5e8cc0 100644 --- a/hw/virtio/virtio-pci.c +++ b/hw/virtio/virtio-pci.c @@ -546,7 +546,8 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, off = le32_to_cpu(cfg->cap.offset); len = le32_to_cpu(cfg->cap.length); - if (len <= sizeof cfg->pci_cfg_data) { + if (len == 1 || len == 2 || len == 4) { + assert(len <= sizeof cfg->pci_cfg_data); virtio_address_space_write(&proxy->modern_as, off, cfg->pci_cfg_data, len); } @@ -570,7 +571,8 @@ static uint32_t virtio_read_config(PCIDevice *pci_dev, off = le32_to_cpu(cfg->cap.offset); len = le32_to_cpu(cfg->cap.length); - if (len <= sizeof cfg->pci_cfg_data) { + if (len == 1 || len == 2 || len == 4) { + assert(len <= sizeof cfg->pci_cfg_data); virtio_address_space_read(&proxy->modern_as, off, cfg->pci_cfg_data, len); }