From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 1/4] vu_common: Tighten vu_packet_check_range()
Date: Thu, 13 Mar 2025 16:40:47 +1100 [thread overview]
Message-ID: <20250313054050.642978-2-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20250313054050.642978-1-david@gibson.dropbear.id.au>
This function verifies that the given packet is within the mmap()ed memory
region of the vhost-user device. We can do better, however. The packet
should be not only within the mmap()ed range, but specifically in the
subsection of that range set aside for shared buffers, which starts at
dev_region->mmap_offset within there.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
vu_common.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/vu_common.c b/vu_common.c
index 686a09b2..9eea4f2f 100644
--- a/vu_common.c
+++ b/vu_common.c
@@ -37,10 +37,10 @@ int vu_packet_check_range(void *buf, const char *ptr, size_t len)
for (dev_region = buf; dev_region->mmap_addr; dev_region++) {
/* NOLINTNEXTLINE(performance-no-int-to-ptr) */
- char *m = (char *)(uintptr_t)dev_region->mmap_addr;
+ char *m = (char *)(uintptr_t)dev_region->mmap_addr +
+ dev_region->mmap_offset;
- if (m <= ptr &&
- ptr + len <= m + dev_region->mmap_offset + dev_region->size)
+ if (m <= ptr && ptr + len <= m + dev_region->size)
return 0;
}
--
@@ -37,10 +37,10 @@ int vu_packet_check_range(void *buf, const char *ptr, size_t len)
for (dev_region = buf; dev_region->mmap_addr; dev_region++) {
/* NOLINTNEXTLINE(performance-no-int-to-ptr) */
- char *m = (char *)(uintptr_t)dev_region->mmap_addr;
+ char *m = (char *)(uintptr_t)dev_region->mmap_addr +
+ dev_region->mmap_offset;
- if (m <= ptr &&
- ptr + len <= m + dev_region->mmap_offset + dev_region->size)
+ if (m <= ptr && ptr + len <= m + dev_region->size)
return 0;
}
--
2.48.1
next prev parent reply other threads:[~2025-03-13 5:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 5:40 [PATCH 0/4] Improve robustness of calculations related to frame size limits David Gibson
2025-03-13 5:40 ` David Gibson [this message]
2025-03-13 5:40 ` [PATCH 2/4] packet: More cautious checks to avoid pointer arithmetic UB David Gibson
2025-03-13 5:40 ` [PATCH 3/4] tap: Make size of pool_tap[46] purely a tuning parameter David Gibson
2025-03-13 5:40 ` [PATCH 4/4] tap: Clarify calculation of TAP_MSGS David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250313054050.642978-2-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).