On Fri, Nov 26, 2021 at 12:14 AM Michael S. Tsirkin <m...@redhat.com> wrote:
>
> On Thu, Nov 25, 2021 at 10:20:46AM +0800, Jason Wang wrote:
> > Spec said:
> >
> > "and len the total of bytes written into the buffer."
> >
> > For inflateq, deflateq and statsq, we don't process in_sg so the used
> > length should be zero. For free_page_vq, since the pages could be
> > changed in the destination, we should make all pages used for safety.
>
> Yea, about that, I know I said it, but I was wrong, sorry.
>
> Spec says this:
>
> \field{len} is particularly useful
> for drivers using untrusted buffers: if a driver does not know exactly
> how much has been written by the device, the driver would have to zero
> the buffer in advance to ensure no data leakage occurs.
>
> For example, a network driver may hand a received buffer directly to
> an unprivileged userspace application. If the network device has not
> overwritten the bytes which were in that buffer, this could leak the
> contents of freed memory from other processes to the application.
>
>
> In other words, device must guarantee that used length was
> written into. Since we don't know that, we really should
> write 0 there, and the fact we don't is a spec violation.
The problem is, if we write 0, the driver may assume there's no change
on those pages?
Thanks
>
>
> > Signed-off-by: Jason Wang <jasow...@redhat.com>
> > ---
> > hw/virtio/virtio-balloon.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> > index 17de2558cb..fb4426ac0c 100644
> > --- a/hw/virtio/virtio-balloon.c
> > +++ b/hw/virtio/virtio-balloon.c
> > @@ -231,7 +231,7 @@ static void balloon_stats_poll_cb(void *opaque)
> > return;
> > }
> >
> > - virtqueue_push(s->svq, s->stats_vq_elem, s->stats_vq_offset);
> > + virtqueue_push(s->svq, s->stats_vq_elem, 0);
> > virtio_notify(vdev, s->svq);
> > g_free(s->stats_vq_elem);
> > s->stats_vq_elem = NULL;
> > @@ -438,7 +438,7 @@ static void virtio_balloon_handle_output(VirtIODevice
> > *vdev, VirtQueue *vq)
> > memory_region_unref(section.mr);
> > }
> >
> > - virtqueue_push(vq, elem, offset);
> > + virtqueue_push(vq, elem, 0);
> > virtio_notify(vdev, vq);
> > g_free(elem);
> > virtio_balloon_pbp_free(&pbp);
> > @@ -510,6 +510,7 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
> > VirtIODevice *vdev = VIRTIO_DEVICE(dev);
> > VirtQueue *vq = dev->free_page_vq;
> > bool ret = true;
> > + size_t used = 0;
> > int i;
> >
> > while (dev->block_iothread) {
> > @@ -548,11 +549,12 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
> > for (i = 0; i < elem->in_num; i++) {
> > qemu_guest_free_page_hint(elem->in_sg[i].iov_base,
> > elem->in_sg[i].iov_len);
> > + used += elem->in_sg[i].iov_len;
> > }
> > }
> >
> > out:
> > - virtqueue_push(vq, elem, 1);
> > + virtqueue_push(vq, elem, used);
> > g_free(elem);
> > return ret;
> > }
> > --
> > 2.25.1
>
