bedd7e93d0
When mergeable buffer is enabled, we try to set the num_buffers after
the virtqueue elem has been unmapped. This will lead several issues,
E.g a use after free when the descriptor has an address which belongs
to the non direct access region. In this case we use bounce buffer
that is allocated during address_space_map() and freed during
address_space_unmap().
Fixing this by storing the elems temporarily in an array and delay the
unmap after we set the the num_buffers.
This addresses CVE-2021-3748.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes:
|
||
|---|---|---|
| .. | ||
| can | ||
| fsl_etsec | ||
| rocker | ||
| allwinner-sun8i-emac.c | ||
| allwinner_emac.c | ||
| cadence_gem.c | ||
| dp8393x.c | ||
| e1000.c | ||
| e1000_regs.h | ||
| e1000e.c | ||
| e1000e_core.c | ||
| e1000e_core.h | ||
| e1000x_common.c | ||
| e1000x_common.h | ||
| eepro100.c | ||
| etraxfs_eth.c | ||
| ftgmac100.c | ||
| i82596.c | ||
| i82596.h | ||
| imx_fec.c | ||
| Kconfig | ||
| lan9118.c | ||
| lance.c | ||
| lasi_i82596.c | ||
| mcf_fec.c | ||
| meson.build | ||
| mipsnet.c | ||
| msf2-emac.c | ||
| ne2000-isa.c | ||
| ne2000-pci.c | ||
| ne2000.c | ||
| ne2000.h | ||
| net_rx_pkt.c | ||
| net_rx_pkt.h | ||
| net_tx_pkt.c | ||
| net_tx_pkt.h | ||
| npcm7xx_emc.c | ||
| opencores_eth.c | ||
| pcnet-pci.c | ||
| pcnet.c | ||
| pcnet.h | ||
| rtl8139.c | ||
| smc91c111.c | ||
| spapr_llan.c | ||
| stellaris_enet.c | ||
| sungem.c | ||
| sunhme.c | ||
| trace-events | ||
| trace.h | ||
| tulip.c | ||
| tulip.h | ||
| vhost_net-stub.c | ||
| vhost_net.c | ||
| virtio-net.c | ||
| vmware_utils.h | ||
| vmxnet3.c | ||
| vmxnet3.h | ||
| vmxnet3_defs.h | ||
| vmxnet_debug.h | ||
| xen_nic.c | ||
| xgmac.c | ||
| xilinx_axienet.c | ||
| xilinx_ethlite.c | ||