+-- On Mon, 25 Jan 2016, Paolo Bonzini wrote --+
| > static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
| > {
| > if (memory_region_is_ram(mr)) {
| > - return !(is_write && mr->readonly);
| > + return (is_write && !mr->readonly);
|
| Read or write? Readonly? Old New
| Read Yes T F
| Read No T F
| Write Yes F F
| Write No T T
|
| This patch changes behavior for reads (is_write=false). For
| address_space_read, this makes them go through a path that is at least
| 100 times slower (memory_region_dispatch_read instead of just a memcpy).
| For address_space_map, it probably breaks everything that expects a
| single block of RAM to be mapped in a single step, for example virtio.
|
| So, how was this tested, and how can the bug be triggered?
The bug was triggered if 'addr' in 'read_dword()' is set by user(ex.
0xffffffff). The MemoryRegion section(*mr) could point to host memory area,
which is then copied by memcpy(2) call. This leads to the said issue. The
patch was tested using gdb(1).
read_dword
-> pci_dma_read
-> pci_dma_rw
-> dma_memory_rw
-> dma_memory_rw_relaxed
-> address_space_rw
-> memcpy
Thank you.
--
Prasad J Pandit / Red Hat Product Security
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
