From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42161)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1aOoIL-0003dK-M0
	for qemu-devel@nongnu.org; Thu, 28 Jan 2016 10:15:38 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1aOoIH-0006if-Bn
	for qemu-devel@nongnu.org; Thu, 28 Jan 2016 10:15:37 -0500
Received: from mx1.redhat.com ([209.132.183.28]:58416)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1aOoIH-0006ia-69
	for qemu-devel@nongnu.org; Thu, 28 Jan 2016 10:15:33 -0500
From: P J P <ppandit@redhat.com>
Date: Thu, 28 Jan 2016 20:45:25 +0530
Message-Id: <1453994125-23586-1-git-send-email-ppandit@redhat.com>
Subject: [Qemu-devel] [PATCH] exec: check 'bounce.in_use' flag before using
	buffer
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: QEMU Developers <qemu-devel@nongnu.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>, John Snow <jsnow@redhat.com>, Prasad J Pandit <pjp@fedoraproject.org>, Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>

From: Prasad J Pandit <pjp@fedoraproject.org>

When IDE AHCI emulation uses Frame Information Structures(FIS)
engine for data transfer, the mapped FIS buffer address is stored
in a static 'bounce.buffer'. This is freed when FIS entry is
unmapped. If multiple FIS entries are created, it leads to an
use after free error. Check 'bounce.in_use' flag to avoid it.

Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/exec.c b/exec.c
index 8718a75..ccc5715 100644
--- a/exec.c
+++ b/exec.c
@@ -2922,7 +2922,7 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
         memory_region_unref(mr);
         return;
     }
-    if (is_write) {
+    if (bounce.in_use && is_write) {
         address_space_write(as, bounce.addr, MEMTXATTRS_UNSPECIFIED,
                             bounce.buffer, access_len);
     }
-- 
2.5.0