Hi Martin,
On Tue, Jan 18, 2022 at 12:12:03AM +0200, Martin Radev wrote:
> This patch verifies that adding the addr and length arguments
> from an MMIO op do not overflow. This is necessary because the
> arguments are controlled by the VM. The length may be set to
> an arbitrary value by using the rep prefix.
The Arm architecture doesn'tt have instructions to access 0 bytes of
memory. By "rep prefix" you mean the x86 rep* instructions, right?
>
> Signed-off-by: Martin Radev <martin.b.radev@xxxxxxxxx>
> ---
> mmio.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/mmio.c b/mmio.c
> index a6dd3aa..04d2af6 100644
> --- a/mmio.c
> +++ b/mmio.c
> @@ -32,6 +32,10 @@ static struct mmio_mapping *mmio_search(struct rb_root *root, u64 addr, u64 len)
> {
> struct rb_int_node *node;
>
> + /* If len is zero or if there's an overflow, the MMIO op is invalid. */
> + if (len + addr <= addr)
Would you mind rewriting the left side of the inequality to addr + len to match
the argument to rb_int_search_range() below?
Otherwise looks good:
Reviewed-by: Alexandru Elisei <alexandru.elisei@xxxxxxx>
Thanks,
Alex
> + return NULL;
> +
> node = rb_int_search_range(root, addr, addr + len);
> if (node == NULL)
> return NULL;
> --
> 2.25.1
>
