diff options
| author | Eric Auger <eric.auger@redhat.com> | 2023-07-17 18:21:26 +0200 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2023-08-03 16:06:49 -0400 |
| commit | cf2f89edf36a59183166ae8721a8d7ab5cd286bd (patch) | |
| tree | 905bf3dc502492f17f43af1b3a3165766c341d55 | |
| parent | c167c80b463768e04a22fbe37ba6c53a4a08e41e (diff) | |
| download | focaccia-qemu-cf2f89edf36a59183166ae8721a8d7ab5cd286bd.tar.gz focaccia-qemu-cf2f89edf36a59183166ae8721a8d7ab5cd286bd.zip | |
hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command()
In the virtio_iommu_handle_command() when a PROBE request is handled,
output_size takes a value greater than the tail size and on a subsequent
iteration we can get a stack out-of-band access. Initialize the
output_size on each iteration.
The issue was found with ASAN. Credits to:
Yiming Tao(Zhejiang University)
Gaoning Pan(Zhejiang University)
Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
| -rw-r--r-- | hw/virtio/virtio-iommu.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c index 201127c488..4dcf1d5c62 100644 --- a/hw/virtio/virtio-iommu.c +++ b/hw/virtio/virtio-iommu.c @@ -728,13 +728,15 @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq) VirtIOIOMMU *s = VIRTIO_IOMMU(vdev); struct virtio_iommu_req_head head; struct virtio_iommu_req_tail tail = {}; - size_t output_size = sizeof(tail), sz; VirtQueueElement *elem; unsigned int iov_cnt; struct iovec *iov; void *buf = NULL; + size_t sz; for (;;) { + size_t output_size = sizeof(tail); + elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); if (!elem) { return; |