rpms/qemu-kvm
7
0
Fork 0
Code Issues Pull Requests Releases Activity
913b5bcaef
qemu-kvm/kvm-hw-virtio-iommu-Fix-potential-OOB-access-in-virtio_i.patch

63 lines
2.2 KiB
Diff
Raw Normal View History

* Mon Aug 07 2023 Miroslav Rezanina <mrezanin@redhat.com> - 8.0.0-11 - kvm-block-blkio-enable-the-completion-eventfd.patch [bz#2225354 bz#2225439] - kvm-block-blkio-do-not-use-open-flags-in-qemu_open.patch [bz#2225354 bz#2225439] - kvm-block-blkio-move-blkio_connect-in-the-drivers-functi.patch [bz#2225354 bz#2225439] - kvm-block-blkio-retry-blkio_connect-if-it-fails-using-fd.patch [bz#2225354 bz#2225439] - kvm-block-blkio-fall-back-on-using-path-when-fd-setting-.patch [bz#2225354 bz#2225439] - kvm-block-blkio-use-blkio_set_int-fd-to-check-fd-support.patch [bz#2225354 bz#2225439] - kvm-hw-virtio-iommu-Fix-potential-OOB-access-in-virtio_i.patch [bz#2229133] - kvm-virtio-iommu-Standardize-granule-extraction-and-form.patch [bz#2229133] - kvm-hw-arm-smmu-Handle-big-endian-hosts-correctly.patch [bz#2229133] - kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch [bz#2214839] - kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch [bz#2214839] - kvm-i386-sev-Update-checks-and-information-related-to-re.patch [bz#2214839] - kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch [bz#2214839] - kvm-Provide-elf2dmp-binary-in-qemu-tools.patch [bz#2165917] - Resolves: bz#2225354 ([vdpa-blk] The new driver virtio-blk-vhost-user not work in VM booting) - Resolves: bz#2225439 ([vdpa-blk] read-only=on option not work on driver virtio-blk-vhost-vdpa) - Resolves: bz#2229133 (Backport some virtio-iommu and smmu fixes) - Resolves: bz#2214839 ([AMDSERVER 9.3 Bug] Qemu SEV reduced-phys-bits fixes) - Resolves: bz#2165917 (qemu-kvm: contrib/elf2dmp: Windows Server 2022 support)
2023-08-07 06:15:08 +00:00
From 0a731ac1191182546e80af5f39d178a5a2f3688f Mon Sep 17 00:00:00 2001
From: Eric Auger <eric.auger@redhat.com>
Date: Mon, 17 Jul 2023 18:21:26 +0200
Subject: [PATCH 07/14] hw/virtio-iommu: Fix potential OOB access in
virtio_iommu_handle_command()
RH-Author: Eric Auger <eric.auger@redhat.com>
RH-MergeRequest: 197: virtio-iommu/smmu: backport some late fixes
RH-Bugzilla: 2229133
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Peter Xu <peterx@redhat.com>
RH-Commit: [1/3] ecdb1e1aa6b93761dc87ea79bc0a1093ad649a74 (eauger1/centos-qemu-kvm)
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2229133
In the virtio_iommu_handle_command() when a PROBE request is handled,
output_size takes a value greater than the tail size and on a subsequent
iteration we can get a stack out-of-band access. Initialize the
output_size on each iteration.
The issue was found with ASAN. Credits to:
Yiming Tao(Zhejiang University)
Gaoning Pan(Zhejiang University)
Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit cf2f89edf36a59183166ae8721a8d7ab5cd286bd)
Signed-off-by: Eric Auger <eric.auger@redhat.com>
---
hw/virtio/virtio-iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index 421e2a944f..17ce630200 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -728,13 +728,15 @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
struct virtio_iommu_req_head head;
struct virtio_iommu_req_tail tail = {};
- size_t output_size = sizeof(tail), sz;
VirtQueueElement *elem;
unsigned int iov_cnt;
struct iovec *iov;
void *buf = NULL;
+ size_t sz;
for (;;) {
+ size_t output_size = sizeof(tail);
+
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
if (!elem) {
return;
--
2.39.3
Reference in New Issue Copy Permalink