Stefan Hajnoczi 7bd04a041a virtio-blk: undo destructive iov_discard_*() operations ... Fuzzing discovered that virtqueue_unmap_sg() is being called on modified req->in/out_sg iovecs. This means dma_memory_map() and dma_memory_unmap() calls do not have matching memory addresses. Fuzzing discovered that non-RAM addresses trigger a bug: void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len, bool is_write, hwaddr access_len) { if (buffer != bounce.buffer) { ^^^^^^^^^^^^^^^^^^^^^^^ A modified iov->iov_base is no longer recognized as a bounce buffer and the wrong branch is taken. There are more potential bugs: dirty memory is not tracked correctly and MemoryRegion refcounts can be leaked. Use the new iov_discard_undo() API to restore elem->in/out_sg before virtqueue_push() is called. Fixes: 827805a249 ("virtio-blk: Convert VirtIOBlockReq.out to structrue") Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Buglink: https://bugs.launchpad.net/qemu/+bug/1890360 Message-Id: <20200917094455.822379-3-stefanha@redhat.com>		2020-09-23 13:41:58 +01:00
..
9pfs	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
acpi	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
adc	meson: convert hw/adc	2020-08-21 06:30:32 -04:00
alpha	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
arm	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
audio	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
avr	Use DECLARE_*CHECKER* macros	2020-09-09 09:27:09 -04:00
block	virtio-blk: undo destructive iov_discard_*() operations	2020-09-23 13:41:58 +01:00
char	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
core	Use DECLARE_*CHECKER* macros	2020-09-09 09:27:09 -04:00
cpu	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
cris	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
display	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
dma	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
gpio	Pull request trivial patches 20200919	2020-09-22 15:42:23 +01:00
hppa	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
hyperv	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
i2c	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
i386	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
ide	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
input	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
intc	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
ipack	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
ipmi	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
isa	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
lm32	hw/sd/milkymist: Do not create SD card within the SD host controller	2020-08-21 16:22:43 +02:00
m68k	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
mem	hw/mem: Stubbed out NPCM7xx Memory Controller model	2020-09-14 14:24:59 +01:00
microblaze	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
mips	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
misc	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
moxie	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
net	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
nios2	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
nubus	meson: convert hw/nubus	2020-08-21 06:30:25 -04:00
nvram	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
openrisc	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
pci	meson: convert hw/pci	2020-08-21 06:30:28 -04:00
pci-bridge	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
pci-host	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
pcmcia	pxa2xx: Move QOM macros to header	2020-08-27 14:04:55 -04:00
ppc	Pull request trivial patches 20200919	2020-09-22 15:42:23 +01:00
rdma	Use DECLARE_*CHECKER* macros	2020-09-09 09:27:09 -04:00
riscv	sifive_u: Rename memmap enum constants	2020-09-18 13:49:48 -04:00
rtc	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
rx	Use DECLARE_*CHECKER* macros	2020-09-09 09:27:09 -04:00
s390x	virtio: add vhost-user-fs-ccw device	2020-09-23 13:41:58 +01:00
scsi	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
sd	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
semihosting	meson: convert hw/semihosting	2020-08-21 06:30:25 -04:00
sh4	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
smbios	hw/smbios: add options for type 4 max-speed and current-speed	2020-08-27 08:29:13 -04:00
sparc	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
sparc64	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
ssi	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
timer	Pull request trivial patches 20200919	2020-09-22 15:42:23 +01:00
tpm	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
tricore	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
unicore32	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
usb	usb: fix u2f build	2020-09-22 16:40:56 +01:00
vfio	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
virtio	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
watchdog	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
xen	Use OBJECT_DECLARE_SIMPLE_TYPE when possible	2020-09-18 14:12:32 -04:00
xenpv	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
xtensa	target/xtensa: implement NMI support	2020-08-21 12:48:14 -07:00
Kconfig	hw/avr: Add limited support for some Arduino boards	2020-07-11 11:02:05 +02:00
meson.build	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00