xemu-project/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-11-30 23:10:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
81c7ed41a1
xemu/hw
History
Wentao Liang 4bf58c7213 virtio-iommu: use-after-free fix 
A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:

> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599     for (;;) {
> ...
> 615         sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616         if (unlikely(sz != sizeof(head))) {
> 617             tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618             goto out;
> 619         }
> ...
> 639             buf = g_malloc0(output_size);
> ...
> 651 out:
> 652         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653                           buf ? buf : &tail, output_size);
> ...
> 659         g_free(buf);
>
> We can fix it by set ‘buf‘ to NULL after freeing it:
>
>
> 651 out:
> 652         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653                           buf ? buf : &tail, output_size);
> ...
> 659         g_free(buf);
> +++ buf = NULL;
> 660     }

Fix as suggested by the reporter.

Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-08 15:02:09 +01:00
..
9pfs 9p: move P9_XATTR_SIZE_MAX from 9p.h to 9p.c 2022-04-01 13:06:07 +02:00
acpi acpi: fix acpi_index migration 2022-04-06 20:03:26 +01:00
adc
alpha
arm hw/arm/xlnx-zynqmp: Connect the ZynqMP APU Control 2022-03-18 11:31:20 +00:00
audio * Fix stack-overflow due to recursive DMA in intel-hda (CVE-2021-3611) 2022-03-22 20:45:30 +00:00
avr
block aspeed queue: 2022-03-09 18:06:40 +00:00
char Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
core acpi: fix acpi_index migration 2022-04-06 20:03:26 +01:00
cpu
cris
display ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) 2022-04-07 12:30:54 +02:00
dma Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
gpio hw: aspeed_gpio: Cleanup stray semicolon after switch 2022-03-08 09:18:11 +01:00
hppa hppa: Add support for an emulated TOC/NMI button. 2022-02-02 18:46:42 +01:00
hyperv
i2c Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
i386 hw: Fix misleading hexadecimal format 2022-03-24 10:38:42 +00:00
ide MIPS patches queue 2022-03-09 09:13:39 +00:00
input Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
intc hw/intc/arm_gicv3_its: Add missing newlines to process_mapc() logging 2022-03-25 14:41:06 +00:00
ipack
ipmi hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
isa hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
m68k Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
mem Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
microblaze
mips Replace GCC_FMT_ATTR with G_GNUC_PRINTF 2022-03-22 14:40:51 +04:00
misc hw: Fix misleading hexadecimal format 2022-03-24 10:38:42 +00:00
net Replace GCC_FMT_ATTR with G_GNUC_PRINTF 2022-03-22 14:40:51 +04:00
nios2
nubus
nvme Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
nvram xlnx-bbram: hw/nvram: Fix uninitialized Error * 2022-04-05 09:28:04 +01:00
openrisc hw/openrisc/openrisc_sim: Add support for initrd loading 2022-02-26 10:39:36 +09:00
pci Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
pci-bridge pci: expose TYPE_XIO3130_DOWNSTREAM name 2022-03-06 05:08:23 -05:00
pci-host Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
pcmcia
ppc hw/ppc: free env->tb_env in spapr_unrealize_vcpu() 2022-04-04 08:49:06 +02:00
rdma Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
remote hw/remote: Add missing include 2022-02-21 10:18:06 +01:00
riscv hw: riscv: opentitan: fixup SPI addresses 2022-03-03 13:14:50 +10:00
rtc hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
rx
s390x s390x/cpumodel: Bump up QEMU model to a stripped-down IBM z15 GA1 2022-02-28 11:29:15 +01:00
scsi hw: Fix misleading hexadecimal format 2022-03-24 10:38:42 +00:00
sd hw/sd/sdhci: Prohibit DMA accesses to devices 2022-03-21 10:25:21 +01:00
sensor hw/sensor: add Renesas raa228000 device 2022-03-08 18:46:48 +01:00
sh4 Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
smbios hw/smbios: Add table 4 parameter, "processor-id" 2022-03-06 05:28:55 -05:00
sparc Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
sparc64 Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
ssi aspeed/smc: Fix error log 2022-03-08 09:18:11 +01:00
timer Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
tpm MIPS patches queue 2022-03-09 09:13:39 +00:00
tricore
usb hw/usb/redirect.c: Stop using qemu_oom_check() 2022-03-04 11:20:16 +01:00
vfio Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
virtio virtio-iommu: use-after-free fix 2022-04-08 15:02:09 +01:00
watchdog
xen Replace GCC_FMT_ATTR with G_GNUC_PRINTF 2022-03-22 14:40:51 +04:00
xenpv
xtensa Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
Kconfig
meson.build