qemu/include/hw
Stefan Hajnoczi 7bd04a041a virtio-blk: undo destructive iov_discard_*() operations
Fuzzing discovered that virtqueue_unmap_sg() is being called on modified
req->in/out_sg iovecs. This means dma_memory_map() and
dma_memory_unmap() calls do not have matching memory addresses.

Fuzzing discovered that non-RAM addresses trigger a bug:

  void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
                           bool is_write, hwaddr access_len)
  {
      if (buffer != bounce.buffer) {
          ^^^^^^^^^^^^^^^^^^^^^^^

A modified iov->iov_base is no longer recognized as a bounce buffer and
the wrong branch is taken.

There are more potential bugs: dirty memory is not tracked correctly and
MemoryRegion refcounts can be leaked.

Use the new iov_discard_undo() API to restore elem->in/out_sg before
virtqueue_push() is called.

Fixes: 827805a249 ("virtio-blk: Convert VirtIOBlockReq.out to structrue")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1890360
Message-Id: <20200917094455.822379-3-stefanha@redhat.com>
2020-09-23 13:41:58 +01:00
..
acpi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
adc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
arm Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
audio qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
block Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
char Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
core Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
cpu Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
cris sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
display Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
dma Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
firmware machine: Refactor smp-related call chains to pass MachineState 2019-07-05 17:07:36 -03:00
gpio Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
hyperv Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
i2c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
i386 QOM queue, 2020-09-18 2020-09-21 18:55:39 +01:00
ide Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
input input: tsc2xxx fix. 2020-09-22 21:11:10 +01:00
intc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ipack Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ipmi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
isa Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
kvm Supply missing header guards 2019-06-12 13:20:21 +02:00
lm32 Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
m68k Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
mem Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
mips Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
misc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
net Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
nubus Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
nvram Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-bridge Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-host Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ppc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
rdma Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
riscv Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
rtc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
rx Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
s390x Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
scsi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
sd Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
semihosting semihosting: add qemu_semihosting_console_inc for SYS_READC 2020-01-09 11:41:29 +00:00
sh4 hw/sh4: Extract timer definitions to 'hw/timer/tmu012.h' 2020-06-22 18:37:12 +02:00
southbridge Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
sparc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ssi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
timer Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
tricore Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
unicore32
usb Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vfio Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
virtio virtio-blk: undo destructive iov_discard_*() operations 2020-09-23 13:41:58 +01:00
watchdog Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
xen Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
xtensa Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
boards.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
clock.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
elf_ops.h hw/elf_ops: Do not ignore write failures when loading ELF 2020-06-10 12:10:23 -04:00
fw-path-provider.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hotplug.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hw.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
ide.h hw/ide: Move MAX_IDE_DEVS define to hw/ide/internal.h 2020-03-17 12:22:36 -04:00
irq.h include/hw/irq.h: New function qemu_irq_is_connected() 2020-08-03 17:55:03 +01:00
loader-fit.h Use #include "..." for our own headers, <...> for others 2018-02-09 05:05:11 +01:00
loader.h hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
nmi.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
or-irq.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
pcmcia.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
platform-bus.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ptimer.h ptimer: Remove old ptimer_init_with_bh() API 2019-11-11 13:44:16 +00:00
qdev-clock.h hw/qdev-clock: Avoid calling qdev_connect_clock_in after DeviceRealize 2020-08-28 10:02:46 +01:00
qdev-core.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
qdev-dma.h Supply missing header guards 2019-06-12 13:20:21 +02:00
qdev-properties.h qdev: Document qdev_prop_set_drive_err() return value 2020-08-19 10:44:29 -04:00
register.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
registerfields.h hw/registerfields: Prefix local variables with underscore in macros 2020-05-27 11:23:07 -07:00
resettable.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
stream.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
sysbus.h qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
usb.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vmstate-if.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00