xemu/hw
Jason Wang abe300d9d8 virtio-net: fix map leaking on error during receive
Commit bedd7e93d0 ("virtio-net: fix use after unmap/free for sg")
tries to fix the use after free of the sg by caching the virtqueue
elements in an array and unmap them at once after receiving the
packets, But it forgot to unmap the cached elements on error which
will lead to leaking of mapping and other unexpected results.

Fixing this by detaching the cached elements on error. This addresses
CVE-2022-26353.

Reported-by: Victor Tom <vv474172261@gmail.com>
Cc: qemu-stable@nongnu.org
Fixes: CVE-2022-26353
Fixes: bedd7e93d0 ("virtio-net: fix use after unmap/free for sg")
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2022-03-15 13:57:44 +08:00
..
9pfs 9pfs/coth.h: drop Doxygen format on v9fs_co_run_in_worker() 2022-03-07 11:49:31 +01:00
acpi hw/acpi: add indication for i8042 in IA-PC boot flags of the FADT table 2022-03-06 16:06:16 -05:00
adc hw/adc: Add basic Aspeed ADC model 2021-10-12 08:20:08 +02:00
alpha hw/alpha: Provide a PCI-ISA bridge device node 2021-06-28 07:27:32 -07:00
arm I²C / SMBus / PMBus patches 2022-03-09 21:16:27 +00:00
audio hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
avr hw/avr: Realize AVRCPU qdev object using qdev_realize() 2021-12-17 10:43:24 +01:00
block aspeed queue: 2022-03-09 18:06:40 +00:00
char hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
core clock-vmstate: Add missing END_OF_LIST 2022-03-02 18:12:40 +00:00
cpu cpu/core: Fix "help" of CPU core device types 2021-04-09 16:05:16 -04:00
cris Do not include exec/address-spaces.h if it's not really necessary 2021-05-02 17:24:51 +02:00
display macfb: set initial value of mode control registers in macfb_common_realize() 2022-03-09 09:29:10 +00:00
dma Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
gpio hw: aspeed_gpio: Cleanup stray semicolon after switch 2022-03-08 09:18:11 +01:00
hppa hppa: Add support for an emulated TOC/NMI button. 2022-02-02 18:46:42 +01:00
hyperv dma: Let dma_memory_map() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
i2c hw/i2c: Added linear mode translation for pmbus devices 2022-03-08 18:46:48 +01:00
i386 hw/acpi/microvm: turn on 8042 bit in FADT boot architecture flags if present 2022-03-07 17:43:14 -05:00
ide MIPS patches queue 2022-03-09 09:13:39 +00:00
input hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
intc hw/intc/arm_gicv3_cpuif: Fix register names in ICV_HPPIR read trace event 2022-03-07 13:16:50 +00:00
ipack qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
ipmi hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
isa hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
m68k mos6522: implement edge-triggering for CA1/2 and CB1/2 control line IRQs 2022-03-09 09:28:28 +00:00
mem Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
microblaze hw/microblaze: Replace drive_get_next() by drive_get() 2021-12-15 08:38:16 +01:00
mips hw/mips/gt64xxx_pci: Resolve gt64120_register() 2022-03-08 19:38:13 +01:00
misc macio/pmu.c: remove redundant code 2022-03-09 09:28:28 +00:00
net virtio-net: fix map leaking on error during receive 2022-03-15 13:57:44 +08:00
nios2 Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
nubus qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
nvme hw/nvme: 64-bit pi support 2022-03-03 09:30:21 +01:00
nvram hw/nvram: at24 return 0xff if 1 byte address 2022-03-14 14:48:35 +01:00
openrisc hw/openrisc/openrisc_sim: Add support for initrd loading 2022-02-26 10:39:36 +09:00
pci acpi: pcihp: pcie: set power on cap on parent slot 2022-03-06 05:08:23 -05:00
pci-bridge pci: expose TYPE_XIO3130_DOWNSTREAM name 2022-03-06 05:08:23 -05:00
pci-host ppc/pnv: Add support for PHB5 "Address-based trigger" mode 2022-03-02 06:51:39 +01:00
pcmcia hw/pcmcia: Do not register PCMCIA type if not required 2021-05-02 17:24:50 +02:00
ppc osdep: Move memalign-related functions to their own header 2022-03-07 13:16:49 +00:00
rdma hw/dma: Use dma_addr_t type definition when relevant 2022-01-18 12:56:29 +01:00
remote hw/remote: Add missing include 2022-02-21 10:18:06 +01:00
riscv hw: riscv: opentitan: fixup SPI addresses 2022-03-03 13:14:50 +10:00
rtc hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
rx hw/rx/rx-gdbsim: Do not accept invalid memory size 2021-05-03 10:07:41 +02:00
s390x s390x/cpumodel: Bump up QEMU model to a stripped-down IBM z15 GA1 2022-02-28 11:29:15 +01:00
scsi esp: recreate ESPState current_req after migration 2022-03-09 09:29:10 +00:00
sd Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
sensor hw/sensor: add Renesas raa228000 device 2022-03-08 18:46:48 +01:00
sh4 hw/intc/sh_intc: Inline and drop sh_intc_source() function 2021-10-30 18:39:37 +02:00
smbios hw/smbios: Add table 4 parameter, "processor-id" 2022-03-06 05:28:55 -05:00
sparc sun4m: fix setting CPU id when more than one CPU is present 2021-09-08 11:09:45 +01:00
sparc64 hw: Replace trivial drive_get_next() by drive_get() 2021-12-15 08:38:16 +01:00
ssi aspeed/smc: Fix error log 2022-03-08 09:18:11 +01:00
timer hw/timer: fix a9gtimer vmstate 2022-02-21 13:30:21 +00:00
tpm MIPS patches queue 2022-03-09 09:13:39 +00:00
tricore hw/tricore: fix inclusion of tricore_testboard 2021-07-20 20:10:21 +02:00
usb hw/usb/redirect.c: Stop using qemu_oom_check() 2022-03-04 11:20:16 +01:00
vfio Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
virtio vhost: use wfd on functions setting vring call fd 2022-03-06 06:19:47 -05:00
watchdog watchdog: remove select_watchdog_action 2021-11-02 15:57:27 +01:00
xen aio-posix: split poll check from ready handler 2022-01-12 17:09:39 +00:00
xenpv meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
xtensa Do not include exec/address-spaces.h if it's not really necessary 2021-05-02 17:24:51 +02:00
Kconfig hw/arm: xlnx-zcu102: Add Xilinx eFUSE device 2021-09-30 13:42:10 +01:00
meson.build sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00