diff options
| author | Frederick Mayle <fmayle@google.com> | 2022-11-28 22:32:12 -0800 |
|---|---|---|
| committer | Frederick Mayle <fmayle@google.com> | 2022-11-29 23:12:27 +0000 |
| commit | 2cd328fdf17c1bf0f979bf4c728538f6edb0761e (patch) | |
| tree | 654c391a6c77c02d72e2d52b65eb6e1a042ef3a9 | |
| parent | e334d8997dd1d8b089de8c2c9f55bbd5b7f04e53 (diff) | |
| download | crosvm-2cd328fdf17c1bf0f979bf4c728538f6edb0761e.tar.gz | |
ANDROID: Verify virtio queue address ranges are valid
Partial backport of https://crrev.com/c/3945520
Excluded the x86_64 changes because I believe they are redundant.
Excluded the ipc_memory_mapper.rs changes because they are not
applicable to the target branch (there are no direct guest memory
accesses in that module).
Bug: 251802307
Test: TH
Change-Id: I75ab20d1a96f26326cd2d87586cd93e4bf53971c
Merged-In: I21bce5d1c60acdff79284cdad963849a6e19e19c
Merged-In: Id9a7b8b469247992afd98fe80593c5044c112406
| -rw-r--r-- | devices/src/virtio/queue.rs | 7 | ||||
| -rw-r--r-- | vm_memory/src/guest_memory.rs | 23 |
2 files changed, 24 insertions, 6 deletions
diff --git a/devices/src/virtio/queue.rs b/devices/src/virtio/queue.rs index a436f748f..1e4d8bdfb 100644 --- a/devices/src/virtio/queue.rs +++ b/devices/src/virtio/queue.rs @@ -162,11 +162,8 @@ impl DescriptorChain { if self.len > 0 { match self.get_mem_regions() { Ok(regions) => { - if regions.iter().any(|r| { - self.mem - .checked_offset(r.gpa, r.len as u64 - 1u64) - .is_none() - }) { + // Each region in `self.regions` must be a contiguous range in `self.mem`. + if !regions.iter().all(|r| self.mem.is_valid_range(r.gpa, r.len as u64)) { return false; } } diff --git a/vm_memory/src/guest_memory.rs b/vm_memory/src/guest_memory.rs index 47c3ba4fd..7c5b4d407 100644 --- a/vm_memory/src/guest_memory.rs +++ b/vm_memory/src/guest_memory.rs @@ -315,7 +315,10 @@ impl GuestMemory { .any(|region| region.start() < end && start < region.end()) } - /// Returns the address plus the offset if it is in range. + /// Returns an address `addr + offset` if it's in range. + /// + /// This function doesn't care whether a region `[addr, addr + offset)` is in range or not. To + /// guarantee it's a valid range, use `is_valid_range()` instead. pub fn checked_offset(&self, addr: GuestAddress, offset: u64) -> Option<GuestAddress> { addr.checked_add(offset).and_then(|a| { if self.address_in_range(a) { @@ -326,6 +329,24 @@ impl GuestMemory { }) } + /// Returns true if the given range `[start, start + length)` is a valid contiguous memory + /// range available to the guest and it's backed by a single underlying memory region. + pub fn is_valid_range(&self, start: GuestAddress, length: u64) -> bool { + if length == 0 { + return false; + } + + let end = if let Some(end) = start.checked_add(length - 1) { + end + } else { + return false; + }; + + self.regions + .iter() + .any(|region| region.start() <= start && end < region.end()) + } + /// Returns the size of the memory region in bytes. pub fn num_regions(&self) -> u64 { self.regions.len() as u64 |