mirror of https://github.com/xemu-project/xemu.git
7bd04a041a
Fuzzing discovered that virtqueue_unmap_sg() is being called on modified
req->in/out_sg iovecs. This means dma_memory_map() and
dma_memory_unmap() calls do not have matching memory addresses.
Fuzzing discovered that non-RAM addresses trigger a bug:
void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
bool is_write, hwaddr access_len)
{
if (buffer != bounce.buffer) {
^^^^^^^^^^^^^^^^^^^^^^^
A modified iov->iov_base is no longer recognized as a bounce buffer and
the wrong branch is taken.
There are more potential bugs: dirty memory is not tracked correctly and
MemoryRegion refcounts can be leaked.
Use the new iov_discard_undo() API to restore elem->in/out_sg before
virtqueue_push() is called.
Fixes:
|
||
|---|---|---|
| .. | ||
| vhost-backend.h | ||
| vhost-scsi-common.h | ||
| vhost-scsi.h | ||
| vhost-user-blk.h | ||
| vhost-user-fs.h | ||
| vhost-user-scsi.h | ||
| vhost-user-vsock.h | ||
| vhost-user.h | ||
| vhost-vdpa.h | ||
| vhost-vsock-common.h | ||
| vhost-vsock.h | ||
| vhost.h | ||
| virtio-access.h | ||
| virtio-balloon.h | ||
| virtio-blk.h | ||
| virtio-bus.h | ||
| virtio-crypto.h | ||
| virtio-gpu-bswap.h | ||
| virtio-gpu-pci.h | ||
| virtio-gpu-pixman.h | ||
| virtio-gpu.h | ||
| virtio-input.h | ||
| virtio-iommu.h | ||
| virtio-mem.h | ||
| virtio-mmio.h | ||
| virtio-net.h | ||
| virtio-pmem.h | ||
| virtio-rng.h | ||
| virtio-scsi.h | ||
| virtio-serial.h | ||
| virtio.h | ||