qemu/hw
Eric Auger cf2f89edf3 hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command()
In the virtio_iommu_handle_command() when a PROBE request is handled,
output_size takes a value greater than the tail size and on a subsequent
iteration we can get a stack out-of-band access. Initialize the
output_size on each iteration.

The issue was found with ASAN. Credits to:
Yiming Tao(Zhejiang University)
Gaoning Pan(Zhejiang University)

Fixes: 1733eebb9e ("virtio-iommu: Implement RESV_MEM probe request")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-stable@nongnu.org

Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-08-03 16:06:49 -04:00
..
9pfs hw/9pfs: spelling fixes 2023-07-25 17:15:47 +03:00
acpi hw/acpi: Fix PM control register access 2023-06-26 09:49:24 -04:00
adc meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
alpha
arm xen: Don't pass MemoryListener around by value 2023-08-01 10:22:33 +01:00
audio meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
avr
block xen-block: Avoid leaks on new error path 2023-08-01 10:22:33 +01:00
char hw/char/escc: Implement loopback mode 2023-07-25 14:40:49 +02:00
core misc: Fix some typos in documentation and comments 2023-08-01 23:52:23 +02:00
cpu meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
cris
cxl hw/cxl/events: Add event interrupt support 2023-06-22 18:55:14 -04:00
display virtio-gpu-udmabuf: correct naming of QemuDmaBuf size properties 2023-07-17 15:22:28 +04:00
dma meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
gpio meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
hppa target/hppa: Provide qemu version via fw_cfg to firmware 2023-06-24 13:39:48 +02:00
hyperv
i2c meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
i386 Misc patches queue 2023-08-02 06:51:29 -07:00
ide hw/ide/piix: properly initialize the BMIBA register 2023-07-14 11:10:57 +02:00
input vhost-user: fully use new backend/frontend naming 2023-06-26 09:50:00 -04:00
intc arm: spelling fixes 2023-07-25 17:13:53 +03:00
ipack meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
ipmi meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
isa hw/isa/vt82c686: Remove via_isa_set_irq() 2023-07-11 00:11:25 +02:00
loongarch hw/loongarch/virt: Use machine_memory_devices_init() 2023-07-12 09:25:37 +02:00
m68k other architectures: spelling fixes 2023-07-25 17:14:07 +03:00
mem memory-device: Track used region size in DeviceMemoryState 2023-07-12 09:25:37 +02:00
microblaze other architectures: spelling fixes 2023-07-25 17:14:07 +03:00
mips hw/mips: Improve the default USB settings in the loongson3-virt machine 2023-07-25 14:40:49 +02:00
misc arm: spelling fixes 2023-07-25 17:13:53 +03:00
net kconfig: Add PCIe devices to s390x machines 2023-07-14 11:10:57 +02:00
nios2
nubus meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
nvme hw/nvme: use stl/ldl pci dma api 2023-07-30 20:09:54 +02:00
nvram hw/nvram: Avoid unnecessary Xilinx eFuse backstore write 2023-07-17 11:05:52 +01:00
openrisc
pci hw/pci: add comment to explain checking for available function 0 in pci hotplug 2023-07-25 17:19:44 +03:00
pci-bridge meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
pci-host hw/pci/pci: Remove multifunction parameter from pci_new_multifunction() 2023-07-10 18:59:32 -04:00
pcmcia meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
ppc hw/ppc/spapr: Use machine_memory_devices_init() 2023-07-12 09:25:37 +02:00
rdma meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
remote exec/memory: Add symbol for memory listener priority for device backend 2023-06-28 14:27:59 +02:00
riscv hw/riscv: Fix typo field in error_report 2023-07-19 14:31:41 +10:00
rtc meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
rx
s390x s390x: Fix QEMU abort by selecting S390_FLIC_KVM 2023-07-18 09:36:27 +02:00
scsi scsi: clear unit attention only for REPORT LUNS commands 2023-07-14 11:10:58 +02:00
sd hw/sd/sdhci: Do not force sdhci_mmio_*_ops onto all SD controllers 2023-07-25 14:40:49 +02:00
sensor meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
sh4
smbios hw/smbios: Fix core count in type4 2023-07-10 16:17:08 -04:00
sparc other architectures: spelling fixes 2023-07-25 17:14:07 +03:00
sparc64 hw/pci/pci: Remove multifunction parameter from pci_new_multifunction() 2023-07-10 18:59:32 -04:00
ssi meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
timer meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
tpm hw/tpm: TIS on sysbus: Remove unsupport ppi command line option 2023-07-14 11:31:54 -04:00
tricore
usb hw/usb/canokey: change license to GPLv2+ 2023-07-25 17:24:12 +01:00
vfio vfio/pci: Enable AtomicOps completers on root ports 2023-07-10 09:52:52 +02:00
virtio hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command() 2023-08-03 16:06:49 -04:00
watchdog meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
xen xen: Don't pass MemoryListener around by value 2023-08-01 10:22:33 +01:00
xenpv
xtensa hw: Simplify calls to pci_nic_init_nofail() 2023-07-08 07:24:38 +03:00
Kconfig
meson.build