DSAN warnings suggest invalid page accesses in prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c

Discussion in 'Linux Virtual Machine' started by JohnB77, Jul 4, 2024.

Tags:
  1. JohnB77

    JohnB77 Bit poster

    Messages:
    1
    Getting the following DSAN errors,
    Code:
    [    0.300325] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:83:10
[    0.300327] index 0 is out of range for type 'page *[*]'
[    0.300396] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:84:3
[    0.300397] index 0 is out of range for type 'page *[*]'
[    0.300448] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:86:10
[    0.300449] index 0 is out of range for type 'page *[*]'
[    0.300516] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:245:4
[    0.300517] index 0 is out of range for type 'page *[*]'
[    8.065926] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:143:21
[    8.065929] index 0 is out of range for type 'page *[*]'
[    8.065983] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:242:25
[    8.065984] index 0 is out of range for type 'page *[*]'
    Checking the Parallels Tools module source, it does look like there's an error where loops start from 0, which cause attempting to act on index 0 on a index of pages.

    ie, prltg_call.c:84:3 and 86:10 refer to this loop
    Code:
            for (i = 0; i < count; i++, mem += PAGE_SIZE, uple->count++) {
                dma_addr_t addr;

                uple->p[i] = vmalloc_to_page(mem);
                page_cache_get(uple->p[i]);

                addr = dma_map_page(prl_tg_get_device_from_pci_device(pdev), uple->p[i], 0, PAGE_SIZE,
                                    DMA_BIDIRECTIONAL);
                dst->RequestPages[i] = dma_addr_to_pfn(addr);
                if (!dst->RequestPages[i]) {
                        page_cache_release(uple->p[i]);
                        goto err;
                }
        }
    This *might* be introducing access to unauthorised pages, so should probably be audited to make sure it is not a security hole, and is correct behaviour.
     
    JohnB77, Jul 4, 2024
    #1
    Johan11 likes this.
  2. Johan11

    Johan11

    Messages:
    3
    Johan11, Aug 31, 2024
    #2
  3. MetinK2

    MetinK2 Bit poster

    Messages:
    4
    I observe the same issue on Ubuntu-25.04. It makes Parallels driver unusable (shared folders feature does not work).
    Code:
    [    6.217435] ------------[ cut here ]------------
[    6.217435] UBSAN: array-index-out-of-bounds in prltg_call.c:245:4
[    6.217568] index 0 is out of range for type 'page *[*]'
[    6.217699] CPU: 0 UID: 0 PID: 2245 Comm: prltoolsd Tainted: P        W  OE      6.14.0-16-generic #16-Ubuntu
[    6.217700] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[    6.217700] Hardware name: Parallels International GmbH. Parallels ARM Virtual Machine/Parallels ARM Virtual Platform, BIOS 20.2.2 (55879) Sat, 22 Feb 202
[    6.217700] Call trace:
[    6.217700]  show_stack+0x38/0xa0 (C)
[    6.217701]  dump_stack_lvl+0x84/0xc0
[    6.217702]  dump_stack+0x1c/0x40
[    6.217703]  ubsan_epilogue+0x14/0x60
[    6.217705]  __ubsan_handle_out_of_bounds+0xc4/0xe8
[    6.217705]  tg_req_unmap_pages+0x1ec/0x430 [prl_tg]
[    6.217706]  tg_req_destroy+0x50/0xb0 [prl_tg]
[    6.217707]  call_tg_sync_ex+0x48/0x88 [prl_tg]
[    6.217708]  prl_tg_write+0xe0/0x118 [prl_tg]
[    6.217709]  proc_reg_write+0xd4/0x160
[    6.217710]  vfs_write+0xe0/0x3b0
[    6.217711]  ksys_write+0x7c/0x138
[    6.217711]  __arm64_sys_write+0x28/0x58
[    6.217712]  invoke_syscall+0x70/0x120
[    6.217713]  el0_svc_common.constprop.0+0x4c/0x140
[    6.217714]  do_el0_svc+0x28/0x60
[    6.217715]  el0_svc+0x40/0x1a0
[    6.217717]  el0t_64_sync_handler+0x134/0x160
[    6.217718]  el0t_64_sync+0x1b8/0x1c0
[    6.217719] ---[ end trace ]---
[    6.307519] NET: Registered PF_QIPCRTR protocol family
[    7.236359] loop33: detected capacity change from 0 to 8
[   18.782732] rfkill: input handler disabled
     
    MetinK2, May 1, 2025
    #3
  4. Pramesh Boodadoo

    Pramesh Boodadoo Team Manager Staff Member

    Messages:
    620
    Hello,
    Thank you for reporting this issue.
    While this issue is being investigated by our Development Team, a work-around has been provided here.
    Thank you.
     
    Pramesh Boodadoo, May 12, 2025
    #4

Share This Page