packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/virtio-iommu-use-after-free-fix.patch

83 lines
2.5 KiB
Diff
Raw Normal View History

QEMU update to version 6.2.0-80(master) - io: remove io watch if TLS channel is closed during handshake - hw/ssi: Fix Linux driver init issue with xilinx_spi - chardev: report the handshake error - vhost: Drop unused eventfd_add|del hooks - virtio-iommu: use-after-free fix - hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF - hw/rx: rx-gdbsim DTB load address aligned of 16byte - vhost-user: Use correct macro name TARGET_PPC64 - accel/kvm: Make kvm_dirty_ring_reaper_init() void - accel/kvm: Free as when an error occurred Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2023-09-09 10:44:03 +08:00
From ab4228f1a5b45450490077a06094670f364b4efc Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 21 Aug 2023 06:02:21 +0000
Subject: [PATCH] virtio-iommu: use-after-free fix mainline inclusion commit
4bf58c7213b0ab03209a53731c71f0861c35ef91 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:
> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599 for (;;) {
> ...
> 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616 if (unlikely(sz != sizeof(head))) {
> 617 tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618 goto out;
> 619 }
> ...
> 639 buf = g_malloc0(output_size);
> ...
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
>
> We can fix it by set buf to NULL after freeing it:
>
>
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
> +++ buf = NULL;
> 660 }
Fix as suggested by the reporter.
Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-iommu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index 1b23e8e18c..ed47d4cb64 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -657,6 +657,7 @@ out:
virtio_notify(vdev, vq);
g_free(elem);
g_free(buf);
+ buf = NULL;
}
}
--
2.41.0.windows.1
Reference in New Issue Copy Permalink