packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/virtio-iommu-use-after-free-fix.patch
Jiabo Feng 62adddcd0b QEMU update to version 6.2.0-80(master) 
- io: remove io watch if TLS channel is closed during handshake
- hw/ssi: Fix Linux driver init issue with xilinx_spi
- chardev: report the handshake error
- vhost: Drop unused eventfd_add|del hooks
- virtio-iommu: use-after-free fix
- hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF
- hw/rx: rx-gdbsim DTB load address aligned of 16byte
- vhost-user: Use correct macro name TARGET_PPC64
- accel/kvm: Make kvm_dirty_ring_reaper_init() void
- accel/kvm: Free as when an error occurred

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2023-09-09 10:44:03 +08:00

83 lines
2.5 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From ab4228f1a5b45450490077a06094670f364b4efc Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 21 Aug 2023 06:02:21 +0000
Subject: [PATCH] virtio-iommu: use-after-free fix mainline inclusion commit
4bf58c7213b0ab03209a53731c71f0861c35ef91 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:
> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599 for (;;) {
> ...
> 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616 if (unlikely(sz != sizeof(head))) {
> 617 tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618 goto out;
> 619 }
> ...
> 639 buf = g_malloc0(output_size);
> ...
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
>
> We can fix it by set buf to NULL after freeing it:
>
>
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
> +++ buf = NULL;
> 660 }
Fix as suggested by the reporter.
Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-iommu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index 1b23e8e18c..ed47d4cb64 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -657,6 +657,7 @@ out:
virtio_notify(vdev, vq);
g_free(elem);
g_free(buf);
+ buf = NULL;
}
}
--
2.41.0.windows.1
Reference in New Issue View Git Blame Copy Permalink