From 0a731ac1191182546e80af5f39d178a5a2f3688f Mon Sep 17 00:00:00 2001 From: Eric Auger Date: Mon, 17 Jul 2023 18:21:26 +0200 Subject: [PATCH 07/14] hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command() RH-Author: Eric Auger RH-MergeRequest: 197: virtio-iommu/smmu: backport some late fixes RH-Bugzilla: 2229133 RH-Acked-by: Thomas Huth RH-Acked-by: Peter Xu RH-Commit: [1/3] ecdb1e1aa6b93761dc87ea79bc0a1093ad649a74 (eauger1/centos-qemu-kvm) Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2229133 In the virtio_iommu_handle_command() when a PROBE request is handled, output_size takes a value greater than the tail size and on a subsequent iteration we can get a stack out-of-band access. Initialize the output_size on each iteration. The issue was found with ASAN. Credits to: Yiming Tao(Zhejiang University) Gaoning Pan(Zhejiang University) Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request") Signed-off-by: Eric Auger Reported-by: Mauro Matteo Cascella Cc: qemu-stable@nongnu.org Message-Id: <20230717162126.11693-1-eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit cf2f89edf36a59183166ae8721a8d7ab5cd286bd) Signed-off-by: Eric Auger --- hw/virtio/virtio-iommu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c index 421e2a944f..17ce630200 100644 --- a/hw/virtio/virtio-iommu.c +++ b/hw/virtio/virtio-iommu.c @@ -728,13 +728,15 @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq) VirtIOIOMMU *s = VIRTIO_IOMMU(vdev); struct virtio_iommu_req_head head; struct virtio_iommu_req_tail tail = {}; - size_t output_size = sizeof(tail), sz; VirtQueueElement *elem; unsigned int iov_cnt; struct iovec *iov; void *buf = NULL; + size_t sz; for (;;) { + size_t output_size = sizeof(tail); + elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); if (!elem) { return; -- 2.39.3