You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 lines
2.2 KiB
63 lines
2.2 KiB
From 0a731ac1191182546e80af5f39d178a5a2f3688f Mon Sep 17 00:00:00 2001
|
|
From: Eric Auger <eric.auger@redhat.com>
|
|
Date: Mon, 17 Jul 2023 18:21:26 +0200
|
|
Subject: [PATCH 07/14] hw/virtio-iommu: Fix potential OOB access in
|
|
virtio_iommu_handle_command()
|
|
|
|
RH-Author: Eric Auger <eric.auger@redhat.com>
|
|
RH-MergeRequest: 197: virtio-iommu/smmu: backport some late fixes
|
|
RH-Bugzilla: 2229133
|
|
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
RH-Acked-by: Peter Xu <peterx@redhat.com>
|
|
RH-Commit: [1/3] ecdb1e1aa6b93761dc87ea79bc0a1093ad649a74 (eauger1/centos-qemu-kvm)
|
|
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2229133
|
|
|
|
In the virtio_iommu_handle_command() when a PROBE request is handled,
|
|
output_size takes a value greater than the tail size and on a subsequent
|
|
iteration we can get a stack out-of-band access. Initialize the
|
|
output_size on each iteration.
|
|
|
|
The issue was found with ASAN. Credits to:
|
|
Yiming Tao(Zhejiang University)
|
|
Gaoning Pan(Zhejiang University)
|
|
|
|
Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request")
|
|
Signed-off-by: Eric Auger <eric.auger@redhat.com>
|
|
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
|
Cc: qemu-stable@nongnu.org
|
|
|
|
Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
(cherry picked from commit cf2f89edf36a59183166ae8721a8d7ab5cd286bd)
|
|
Signed-off-by: Eric Auger <eric.auger@redhat.com>
|
|
---
|
|
hw/virtio/virtio-iommu.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
|
|
index 421e2a944f..17ce630200 100644
|
|
--- a/hw/virtio/virtio-iommu.c
|
|
+++ b/hw/virtio/virtio-iommu.c
|
|
@@ -728,13 +728,15 @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
|
|
VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
|
|
struct virtio_iommu_req_head head;
|
|
struct virtio_iommu_req_tail tail = {};
|
|
- size_t output_size = sizeof(tail), sz;
|
|
VirtQueueElement *elem;
|
|
unsigned int iov_cnt;
|
|
struct iovec *iov;
|
|
void *buf = NULL;
|
|
+ size_t sz;
|
|
|
|
for (;;) {
|
|
+ size_t output_size = sizeof(tail);
|
|
+
|
|
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
|
|
if (!elem) {
|
|
return;
|
|
--
|
|
2.39.3
|
|
|