motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2026-03-01 07:34:35 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw/block
History
Stefan Hajnoczi 7bd04a041a virtio-blk: undo destructive iov_discard_*() operations 
Fuzzing discovered that virtqueue_unmap_sg() is being called on modified
req->in/out_sg iovecs. This means dma_memory_map() and
dma_memory_unmap() calls do not have matching memory addresses.

Fuzzing discovered that non-RAM addresses trigger a bug:

  void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
                           bool is_write, hwaddr access_len)
  {
      if (buffer != bounce.buffer) {
          ^^^^^^^^^^^^^^^^^^^^^^^

A modified iov->iov_base is no longer recognized as a bounce buffer and
the wrong branch is taken.

There are more potential bugs: dirty memory is not tracked correctly and
MemoryRegion refcounts can be leaked.

Use the new iov_discard_undo() API to restore elem->in/out_sg before
virtqueue_push() is called.

Fixes: 827805a249 ("virtio-blk: Convert VirtIOBlockReq.out to structrue")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1890360
Message-Id: <20200917094455.822379-3-stefanha@redhat.com>
2020-09-23 13:41:58 +01:00
..
dataplane meson: convert hw/block 2020-08-21 06:30:32 -04:00
block.c block: make BlockConf size props 32bit and accept size suffixes 2020-06-17 14:53:40 +02:00
cdrom.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
ecc.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
fdc.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
hd-geometry.c block: Remove blk_pread_unthrottled() 2019-08-16 10:25:16 +02:00
Kconfig hw/m68k: add a dummy SWIM floppy controller 2019-10-28 19:06:51 +01:00
m25p80.c Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
meson.build meson: convert hw/block 2020-08-21 06:30:32 -04:00
nand.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
nvme.c hw/block/nvme: remove explicit qsg/iov parameters 2020-09-02 08:48:50 +02:00
nvme.h hw/block/nvme: add ns/cmd references in NvmeRequest 2020-09-02 08:48:50 +02:00
onenand.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pflash_cfi01.c hw: Remove superfluous breaks 2020-09-01 08:38:00 +02:00
pflash_cfi02.c pflash: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
swim.c swim: Rename struct SWIM to Swim 2020-08-27 14:04:55 -04:00
tc58128.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
trace-events trace-events: Fix attribution of trace points to source 2020-09-09 17:17:58 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-user-blk.c vhost-user-blk-pci: default num_queues to -smp N 2020-08-27 08:29:13 -04:00
virtio-blk.c virtio-blk: undo destructive iov_discard_*() operations 2020-09-23 13:41:58 +01:00
xen-block.c xen: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
xen_blkif.h xen: Import other xen/io/*.h 2019-06-24 10:42:30 +01:00