mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-12-22 07:28:36 -07:00
4bf58c7213
A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:
> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599 for (;;) {
> ...
> 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616 if (unlikely(sz != sizeof(head))) {
> 617 tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618 goto out;
> 619 }
> ...
> 639 buf = g_malloc0(output_size);
> ...
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
>
> We can fix it by set ‘buf‘ to NULL after freeing it:
>
>
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
> +++ buf = NULL;
> 660 }
Fix as suggested by the reporter.
Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| meson.build | ||
| trace-events | ||
| trace.h | ||
| vhost-backend.c | ||
| vhost-iova-tree.c | ||
| vhost-iova-tree.h | ||
| vhost-scsi-pci.c | ||
| vhost-shadow-virtqueue.c | ||
| vhost-shadow-virtqueue.h | ||
| vhost-stub.c | ||
| vhost-user-blk-pci.c | ||
| vhost-user-fs-pci.c | ||
| vhost-user-fs.c | ||
| vhost-user-i2c-pci.c | ||
| vhost-user-i2c.c | ||
| vhost-user-input-pci.c | ||
| vhost-user-rng-pci.c | ||
| vhost-user-rng.c | ||
| vhost-user-scsi-pci.c | ||
| vhost-user-vsock-pci.c | ||
| vhost-user-vsock.c | ||
| vhost-user.c | ||
| vhost-vdpa.c | ||
| vhost-vsock-common.c | ||
| vhost-vsock-pci.c | ||
| vhost-vsock.c | ||
| vhost.c | ||
| virtio-9p-pci.c | ||
| virtio-balloon-pci.c | ||
| virtio-balloon.c | ||
| virtio-blk-pci.c | ||
| virtio-bus.c | ||
| virtio-crypto-pci.c | ||
| virtio-crypto.c | ||
| virtio-input-host-pci.c | ||
| virtio-input-pci.c | ||
| virtio-iommu-pci.c | ||
| virtio-iommu.c | ||
| virtio-mem-pci.c | ||
| virtio-mem-pci.h | ||
| virtio-mem.c | ||
| virtio-mmio.c | ||
| virtio-net-pci.c | ||
| virtio-pci.c | ||
| virtio-pci.h | ||
| virtio-pmem-pci.c | ||
| virtio-pmem-pci.h | ||
| virtio-pmem.c | ||
| virtio-rng-pci.c | ||
| virtio-rng.c | ||
| virtio-scsi-pci.c | ||
| virtio-serial-pci.c | ||
| virtio.c | ||