On Wed, 28 Sep 2022 17:16:51 +0200
dinhngoc.tu@xxxxxxx wrote:
Hi,
> From: Tu Dinh Ngoc <dinhngoc.tu@xxxxxxx>
>
> The `len' parameter of kvm__register_pio specifies a range of I/O ports
> to be registered for the same handler. However, the `size' parameter of
> PIO events specifies the number of bytes read/written to a single I/O
> port.
>
> kvm__emulate_io confuses the two and uses the number of bytes
> read/written in its I/O handler search, meaning reads/writes with a size
> larger than the registered range length will be silently dropped.
Yes, and this is intended. On real hardware you just cannot
generally expect larger I/O accesses to work and affect multiple
registers, this is true for both the legacy IBM PC I/O operations, and
also for modern MMIO devices.
And specifically exceeding the registered range should be outright denied.
So where did you see this problem? Because this looks like a misbehaving
guest, and we should not take any chances and prefer denying dodgy
requests over potentially running into security issues by allowing
accesses beyond the allocated range.
Cheers,
Andre
>
> Fix this issue by specifying a MMIO tree search range of 1 port.
> ---
> mmio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mmio.c b/mmio.c
> index 5a114e9..212e979 100644
> --- a/mmio.c
> +++ b/mmio.c
> @@ -222,7 +222,7 @@ bool kvm__emulate_io(struct kvm_cpu *vcpu, u16 port, void *data,
> struct mmio_mapping *mmio;
> bool is_write = direction == KVM_EXIT_IO_OUT;
>
> - mmio = mmio_get(&pio_tree, port, size);
> + mmio = mmio_get(&pio_tree, port, 1);
> if (!mmio) {
> if (vcpu->kvm->cfg.ioport_debug) {
> fprintf(stderr, "IO error: %s port=%x, size=%d, count=%u\n",
