Bytes: Fix read() and write()

XanClic · bonzini · commit 1d3c09b554bc · 2025-09-26T17:09:18.000+02:00
read() and write() must not ignore the `count` parameter: The mappings
passed into the `try_access()` closure are only valid for up to `count`
bytes, not more.

(Note: We cannot really have a test case for this, as right now, memory
fragmentation will only happen exactly at memory region boundaries.  In
this case, `region.write()`/`region.read()` will only access the region
up until its end, even if the passed slice is longer, and so silently
ignore the length mismatch.  This change is necessary for when page
boundaries result in different mappings within a single region, i.e. the
region does not end at the fragmentation point, and calling
`region.write()`/`region.read()` would write/read across the boundary.
Because we don’t have IOMMU support yet, this can’t be tested.)

Signed-off-by: Hanna Czenczek &lt;hreitz@redhat.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,6 +34,10 @@
   The `mmap(2)` syscall itself already validates that offset and length are valid, and trying to replicate this check
   in userspace ended up being imperfect.
 
+### Fixed
+
+- \[[#339](https://github.com/rust-vmm/vm-memory/pull/339)\] Fix `Bytes::read()` and `Bytes::write()` not to ignore `try_access()`'s `count` parameter
+
 ## \[v0.16.1\]
 
 ### Added
diff --git a/src/guest_memory.rs b/src/guest_memory.rs
@@ -558,8 +558,8 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {
         self.try_access(
             buf.len(),
             addr,
-            |offset, _count, caddr, region| -> Result<usize> {
-                region.write(&buf[offset..], caddr)
+            |offset, count, caddr, region| -> Result<usize> {
+                region.write(&buf[offset..(offset + count)], caddr)
             },
         )
     }
@@ -568,8 +568,8 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {
         self.try_access(
             buf.len(),
             addr,
-            |offset, _count, caddr, region| -> Result<usize> {
-                region.read(&mut buf[offset..], caddr)
+            |offset, count, caddr, region| -> Result<usize> {
+                region.read(&mut buf[offset..(offset + count)], caddr)
             },
         )
     }

Original file line number	Diff line number	Diff line change
`@@ -558,8 +558,8 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {`
`558`	`558`	`self.try_access(`
`559`	`559`	`buf.len(),`
`560`	`560`	`addr,`
`561`		`- \|offset, _count, caddr, region\| -> Result<usize> {`
`562`		`- region.write(&buf[offset..], caddr)`
	`561`	`+ \|offset, count, caddr, region\| -> Result<usize> {`
	`562`	`+ region.write(&buf[offset..(offset + count)], caddr)`
`563`	`563`	`},`
`564`	`564`	`)`
`565`	`565`	`}`
`@@ -568,8 +568,8 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {`
`568`	`568`	`self.try_access(`
`569`	`569`	`buf.len(),`
`570`	`570`	`addr,`
`571`		`- \|offset, _count, caddr, region\| -> Result<usize> {`
`572`		`- region.read(&mut buf[offset..], caddr)`
	`571`	`+ \|offset, count, caddr, region\| -> Result<usize> {`
	`572`	`+ region.read(&mut buf[offset..(offset + count)], caddr)`
`573`	`573`	`},`
`574`	`574`	`)`
`575`	`575`	`}`