Skip to content

Harden VirtIO, PLIC, ACLINT, and SBI#128

Merged
jserv merged 1 commit intomasterfrom
improve
Apr 24, 2026
Merged

Harden VirtIO, PLIC, ACLINT, and SBI#128
jserv merged 1 commit intomasterfrom
improve

Conversation

@jserv
Copy link
Copy Markdown
Collaborator

@jserv jserv commented Apr 24, 2026

Guest-supplied values (hart IDs, VirtIO descriptor indices, MMIO register addresses) were used as array indices or memory offsets without bounds validation, allowing a malicious guest to read/write host memory.

Security fixes:

  • SBI HSM: validate hartid < n_hart before indexing vm->hart[]
  • VirtIO-blk: validate desc_idx < QueueNum in descriptor chain walk; overflow-safe sector+length check against disk capacity
  • VirtIO-net: replace stack buffer copy with writev() for SLIRP TX, upgrade pipe to SOCK_DGRAM socketpair for message framing
  • VirtIO-rng: clamp read() error return to 0
  • PLIC: validate context index < ARRAY_SIZE(ie) after address decode
  • ACLINT: add n_hart to state structs, validate mtimecmp/msip/ssip array indices against it

Performance:

  • SMP hart_exec_loop: call semu_step_chunk(SEMU_SMP_SLICE_STEPS) instead of semu_service_hart_step(steps=1), keeping execution inside the computed-goto fast path while preserving peripheral polling cadence

Correctness:

  • VirtIO-snd: fix sizeof(info) -> sizeof(*info) in chmap handler; protect tx_ev_notify with mutex to eliminate data race
  • VirtIO-fs: remove debug printf from readdirplus, use stderr for error messages

Summary by cubic

Hardened guest-facing paths across SBI HSM, PLIC, ACLINT, and VirtIO to block out-of-bounds accesses, plus a small SMP execution speedup and correctness fixes.

  • Bug Fixes

    • SBI HSM and ACLINT: validate hart IDs and add n_hart to ACLINT state; bound-check mtimecmp/msip/ssip accesses.
    • PLIC: validate decoded context index against ie array size.
    • virtio-blk: bound-check descriptor indices; use overflow-safe sector+length check against disk capacity.
    • virtio-net (SLIRP): send with writev(); switch pipes to socketpair(AF_UNIX, SOCK_DGRAM) for message framing; use recv() and cap reads to SLIRP_PKT_MAX.
    • virtio-rng: clamp negative read() results to 0.
    • Misc: virtio-snd fixes sizeof(*info) and protects tx_ev_notify with a mutex; virtio-fs removes noisy prints and logs errors to stderr.
  • Performance

    • SMP loop now calls semu_step_chunk(SEMU_SMP_SLICE_STEPS) per slice, keeping the computed-goto fast path while preserving peripheral polling cadence.

Written for commit 18a3dcb. Summary will update on new commits.

Guest-supplied values (hart IDs, VirtIO descriptor indices, MMIO
register addresses) were used as array indices or memory offsets
without bounds validation, allowing a malicious guest to read/write
host memory.

Security fixes:
- SBI HSM: validate hartid < n_hart before indexing vm->hart[]
- VirtIO-blk: validate desc_idx < QueueNum in descriptor chain walk;
  overflow-safe sector+length check against disk capacity
- VirtIO-net: replace stack buffer copy with writev() for SLIRP TX,
  upgrade pipe to SOCK_DGRAM socketpair for message framing
- VirtIO-rng: clamp read() error return to 0
- PLIC: validate context index < ARRAY_SIZE(ie) after address decode
- ACLINT: add n_hart to state structs, validate mtimecmp/msip/ssip
  array indices against it

Performance:
- SMP hart_exec_loop: call semu_step_chunk(SEMU_SMP_SLICE_STEPS)
  instead of semu_service_hart_step(steps=1), keeping execution
  inside the computed-goto fast path while preserving peripheral
  polling cadence

Correctness:
- VirtIO-snd: fix sizeof(info) -> sizeof(*info) in chmap handler;
  protect tx_ev_notify with mutex to eliminate data race
- VirtIO-fs: remove debug printf from readdirplus, use stderr for
  error messages
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 11 files

@jserv jserv merged commit e9a64b7 into master Apr 24, 2026
11 checks passed
@jserv jserv deleted the improve branch April 24, 2026 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant