diff options
author | John Levon <john.levon@nutanix.com> | 2021-11-24 23:15:33 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-24 23:15:33 +0000 |
commit | 3602ad8f6ebb786adf1e09b4f39e9e9465d2fffc (patch) | |
tree | b38ba6db720a48965dde06872277d175fc8379d6 /test/py | |
parent | ace83abb5d62ef91bafd20219be1bdaf4f57f091 (diff) | |
download | libvfio-user-3602ad8f6ebb786adf1e09b4f39e9e9465d2fffc.zip libvfio-user-3602ad8f6ebb786adf1e09b4f39e9e9465d2fffc.tar.gz libvfio-user-3602ad8f6ebb786adf1e09b4f39e9e9465d2fffc.tar.bz2 |
is_valid_region_access(): account for wrap-around (#624)
AFL++ found this, though we already knew about it, so fix it by comparing
against a saturating addition. This was the only instance of client-controlled
potential overflow I noticed.
Signed-off-by: John Levon <john.levon@nutanix.com>
Reviewed-by: Swapnil Ingle <swapnil.ingle@nutanix.com>
Reviewed-by: Thanos Makatos <thanos.makatos@nutanix.com>
Diffstat (limited to 'test/py')
-rw-r--r-- | test/py/libvfio_user.py | 2 | ||||
-rw-r--r-- | test/py/test_setup_region.py | 19 |
2 files changed, 21 insertions, 0 deletions
diff --git a/test/py/libvfio_user.py b/test/py/libvfio_user.py index 77b3b67..cbe6156 100644 --- a/test/py/libvfio_user.py +++ b/test/py/libvfio_user.py @@ -42,6 +42,8 @@ import socket import struct import syslog +UINT64_MAX = 18446744073709551615 + # from linux/pci_regs.h and linux/pci_defs.h PCI_HEADER_TYPE_NORMAL = 0 diff --git a/test/py/test_setup_region.py b/test/py/test_setup_region.py index ac6dc03..76cd1d9 100644 --- a/test/py/test_setup_region.py +++ b/test/py/test_setup_region.py @@ -174,5 +174,24 @@ def test_setup_region_cfg_always_cb(): disconnect_client(ctx, sock) +def test_region_offset_overflow(): + global ctx + + ret = vfu_setup_region(ctx, index=VFU_PCI_DEV_CFG_REGION_IDX, + size=PCI_CFG_SPACE_EXP_SIZE, cb=pci_cfg_region_cb, + flags=(VFU_REGION_FLAG_RW)) + assert ret == 0 + + ret = vfu_realize_ctx(ctx) + assert ret == 0 + + sock = connect_client(ctx) + + read_region(ctx, sock, VFU_PCI_DEV_CFG_REGION_IDX, + offset=UINT64_MAX, count=256, expect=errno.EINVAL) + + disconnect_client(ctx, sock) + + def test_setup_region_cleanup(): vfu_destroy_ctx(ctx) |