mirror of
https://github.com/qemu/qemu.git
synced 2024-12-18 01:34:15 +08:00
7bd04a041a
Fuzzing discovered that virtqueue_unmap_sg() is being called on modified
req->in/out_sg iovecs. This means dma_memory_map() and
dma_memory_unmap() calls do not have matching memory addresses.
Fuzzing discovered that non-RAM addresses trigger a bug:
void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
bool is_write, hwaddr access_len)
{
if (buffer != bounce.buffer) {
^^^^^^^^^^^^^^^^^^^^^^^
A modified iov->iov_base is no longer recognized as a bounce buffer and
the wrong branch is taken.
There are more potential bugs: dirty memory is not tracked correctly and
MemoryRegion refcounts can be leaked.
Use the new iov_discard_undo() API to restore elem->in/out_sg before
virtqueue_push() is called.
Fixes:
|
||
---|---|---|
.. | ||
authz | ||
block | ||
chardev | ||
crypto | ||
disas | ||
exec | ||
fpu | ||
hw | ||
io | ||
libdecnumber | ||
migration | ||
monitor | ||
net | ||
qapi | ||
qemu | ||
qom | ||
scsi | ||
standard-headers | ||
sysemu | ||
tcg | ||
ui | ||
user | ||
elf.h | ||
glib-compat.h | ||
qemu-common.h | ||
qemu-io.h | ||
trace-tcg.h |