qemu/hw
Raphael Norwitz 4fdecf0543 Fix vhost-user buffer over-read on ram hot-unplug
The VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS vhost-user protocol
feature introduced a shadow-table, used by the backend to dynamically
determine how a vdev's memory regions have changed since the last
vhost_user_set_mem_table() call. On hot-remove, a memmove() operation
is used to overwrite the removed shadow region descriptor(s). The size
parameter of this memmove was off by 1 such that if a VM with a backend
supporting the VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS filled it's
shadow-table (by performing the maximum number of supported hot-add
operatons) and attempted to remove the last region, Qemu would read an
out of bounds value and potentially crash.

This change fixes the memmove() bounds such that this erroneous read can
never happen.

Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Message-Id: <1594799958-31356-1-git-send-email-raphael.norwitz@nutanix.com>
Fixes: f1aeb14b08 ("Transmit vhost-user memory regions individually")
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-07-27 10:28:28 -04:00
..
9pfs virtio-9p: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
acpi acpi: accept byte and word access to core ACPI registers 2020-07-22 07:57:07 -04:00
adc hw/adc/stm32f2xx_adc: Correct memory region size and access size 2020-06-05 17:23:09 +01:00
alpha sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
arm hw: Only compile the usb-dwc2 controller if it is really needed 2020-07-24 16:15:28 +02:00
audio audio: set default value for pcspk.iobase property 2020-07-06 17:01:11 +02:00
avr hw/avr/boot: Fix memory leak in avr_load_firmware() 2020-07-21 16:13:04 +02:00
block qom: Change object_get_canonical_path_component() not to malloc 2020-07-21 16:23:43 +02:00
char hw/char: Convert the Ibex UART to use the registerfields API 2020-07-13 17:25:37 -07:00
core hw/pci-host: save/restore pci host config register 2020-07-27 10:24:39 -04:00
cpu error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
cris sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
display qxl: fix modular builds with dtrace 2020-07-21 10:56:47 +02:00
dma hw: Mark nd_table[] misuse in realize methods FIXME 2020-07-21 08:41:15 +02:00
gpio error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
hppa sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
hyperv error: Avoid unnecessary error_propagate() after error_setg() 2020-07-10 15:18:08 +02:00
i2c hw/i2c: Rename i2c_create_slave() as i2c_slave_create_simple() 2020-07-16 12:30:54 -05:00
i386 hw/pci-host: save/restore pci host config register 2020-07-27 10:24:39 -04:00
ide qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
input hw/input/virtio-input-hid.c: Don't undef CONFIG_CURSES 2020-07-24 16:15:28 +02:00
intc apic: Report current_count via 'info lapic' 2020-07-10 19:26:55 -04:00
ipack qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ipmi ipmi: add SET_SENSOR_READING command 2020-07-17 11:39:46 -05:00
isa error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
lm32 sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
m68k qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
mem qom: Change object_get_canonical_path_component() not to malloc 2020-07-21 16:23:43 +02:00
microblaze error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
mips error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
misc qom: Change object_get_canonical_path_component() not to malloc 2020-07-21 16:23:43 +02:00
moxie hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
net hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() 2020-07-21 21:30:39 +08:00
nios2 hw/nios2: exit to main CPU loop only when unmasking interrupts 2020-07-13 14:36:11 +01:00
nubus hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
nvram hw/nvram/fw_cfg: Let fw_cfg_add_from_generator() return boolean value 2020-07-21 16:47:54 +02:00
openrisc sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
pci hw/pci-host: save/restore pci host config register 2020-07-27 10:24:39 -04:00
pci-bridge sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
pci-host xen: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
pcmcia sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
ppc pseries: fix kvmppc_set_fwnmi() 2020-07-27 11:09:25 +10:00
rdma lockable: Replace locks with lock guard macros 2020-05-04 16:07:43 +01:00
riscv hw/riscv: sifive_e: Correct debug block size 2020-07-22 09:39:46 -07:00
rtc goldfish_rtc: Fix non-atomic read behaviour of TIME_LOW/TIME_HIGH 2020-07-22 09:39:46 -07:00
rx qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
s390x virtio: verify that legacy support is not accidentally on 2020-07-22 07:57:07 -04:00
scsi error: Avoid error_propagate() after migrate_add_blocker() 2020-07-10 15:18:08 +02:00
sd sd/milkymist-memcard: Fix format string 2020-07-24 15:03:09 +02:00
semihosting semihosting: remove the pthread include which seems unused 2020-06-10 11:29:44 +02:00
sh4 hw/sh4: Extract timer definitions to 'hw/timer/tmu012.h' 2020-06-22 18:37:12 +02:00
smbios error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
sparc qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
sparc64 qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
ssi ssi: Add ssi_realize_and_unref() 2020-07-03 16:59:44 +01:00
timer hw/timer: avr: Add limited support for 16-bit timer peripheral 2020-07-11 11:02:05 +02:00
tpm tpm: tpm_spapr: Exit on TPM backend failures 2020-07-15 14:57:33 -04:00
tricore hw: Do not initialize MachineClass::is_default to 0 2020-02-28 14:57:19 -05:00
unicore32 hw/unicore32/puv3: Use qemu_log_mask(ERROR) instead of debug printf() 2020-06-09 19:01:56 +02:00
usb hw: Only compile the usb-dwc2 controller if it is really needed 2020-07-24 16:15:28 +02:00
vfio vfio: fix use-after-free in display 2020-07-16 10:20:12 +02:00
virtio Fix vhost-user buffer over-read on ram hot-unplug 2020-07-27 10:28:28 -04:00
watchdog hw/watchdog/cmsdk-apb-watchdog: Add trace event for lock status 2020-06-23 11:39:47 +01:00
xen osdep.h: Always include <sys/signal.h> if it exists 2020-07-13 14:36:09 +01:00
xenpv trivial: Remove xenfb_enabled from sysemu.h 2020-02-04 09:00:57 +01:00
xtensa qdev: Make qdev_prop_set_drive() match the other helpers 2020-06-23 16:07:07 +02:00
Kconfig hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
Makefile.objs vga: build qxl as module 2020-07-07 15:33:59 +02:00