Conversation
Guest-supplied values (hart IDs, VirtIO descriptor indices, MMIO register addresses) were used as array indices or memory offsets without bounds validation, allowing a malicious guest to read/write host memory. Security fixes: - SBI HSM: validate hartid < n_hart before indexing vm->hart[] - VirtIO-blk: validate desc_idx < QueueNum in descriptor chain walk; overflow-safe sector+length check against disk capacity - VirtIO-net: replace stack buffer copy with writev() for SLIRP TX, upgrade pipe to SOCK_DGRAM socketpair for message framing - VirtIO-rng: clamp read() error return to 0 - PLIC: validate context index < ARRAY_SIZE(ie) after address decode - ACLINT: add n_hart to state structs, validate mtimecmp/msip/ssip array indices against it Performance: - SMP hart_exec_loop: call semu_step_chunk(SEMU_SMP_SLICE_STEPS) instead of semu_service_hart_step(steps=1), keeping execution inside the computed-goto fast path while preserving peripheral polling cadence Correctness: - VirtIO-snd: fix sizeof(info) -> sizeof(*info) in chmap handler; protect tx_ev_notify with mutex to eliminate data race - VirtIO-fs: remove debug printf from readdirplus, use stderr for error messages
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Guest-supplied values (hart IDs, VirtIO descriptor indices, MMIO register addresses) were used as array indices or memory offsets without bounds validation, allowing a malicious guest to read/write host memory.
Security fixes:
Performance:
Correctness:
Summary by cubic
Hardened guest-facing paths across SBI HSM, PLIC, ACLINT, and
VirtIOto block out-of-bounds accesses, plus a small SMP execution speedup and correctness fixes.Bug Fixes
n_hartto ACLINT state; bound-checkmtimecmp/msip/ssipaccesses.iearray size.virtio-blk: bound-check descriptor indices; use overflow-safe sector+length check against disk capacity.virtio-net(SLIRP): send withwritev(); switch pipes tosocketpair(AF_UNIX, SOCK_DGRAM)for message framing; userecv()and cap reads toSLIRP_PKT_MAX.virtio-rng: clamp negativeread()results to 0.virtio-sndfixessizeof(*info)and protectstx_ev_notifywith a mutex;virtio-fsremoves noisy prints and logs errors to stderr.Performance
semu_step_chunk(SEMU_SMP_SLICE_STEPS)per slice, keeping the computed-goto fast path while preserving peripheral polling cadence.Written for commit 18a3dcb. Summary will update on new commits.