git.ipfire.org Git - thirdparty/qemu.git/commit

author	Eric Auger <eric.auger@redhat.com>
	Mon, 17 Jul 2023 16:21:26 +0000 (18:21 +0200)
committer	Michael Tokarev <mjt@tls.msk.ru>
	Fri, 4 Aug 2023 16:14:46 +0000 (19:14 +0300)
commit	18963f458f71da2535e1c367ea66165d0cd9fd33
tree	381c5ef9297d08879d18c6980d16b49fe0a4b125	tree
parent	71e05c42cc36d9d678db88583d9ece8be7b2f15c	commit \| diff

hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command()

In the virtio_iommu_handle_command() when a PROBE request is handled,
output_size takes a value greater than the tail size and on a subsequent
iteration we can get a stack out-of-band access. Initialize the
output_size on each iteration.

The issue was found with ASAN. Credits to:
Yiming Tao(Zhejiang University)
Gaoning Pan(Zhejiang University)

Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit cf2f89edf36a59183166ae8721a8d7ab5cd286bd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>