From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Eduardo Habkost <ehabkost@redhat.com>,
qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <rth@twiddle.net>
Subject: [PULL 07/10] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
Date: Tue, 31 Mar 2020 10:57:16 -0400 [thread overview]
Message-ID: <20200331145631.135630-8-mst@redhat.com> (raw)
In-Reply-To: <20200331145631.135630-1-mst@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
In the function amdvi_log_event(), we write an event log buffer
entry into guest ram, whose contents are passed to the function
via the "uint64_t *evt" argument. Unfortunately, a spurious
'&' in the call to dma_memory_write() meant that instead of
writing the event to the guest we would write the literal value
of the pointer, plus whatever was in the following 8 bytes
on the stack. This error was spotted by Coverity.
Fix the bug by removing the '&'.
Fixes: CID 1421945
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/i386/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index b1175e52c7..fd75cae024 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
}
if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
- &evt, AMDVI_EVENT_LEN)) {
+ evt, AMDVI_EVENT_LEN)) {
trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
}
--
MST
next prev parent reply other threads:[~2020-03-31 14:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 14:56 [PULL 00/10] virtio, pci, pc: bugfixes, checkpatch, maintainers Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 01/10] checkpatch: enforce process for expected files Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 02/10] MAINTAINERS: Add myself as virtio-balloon co-maintainer Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 03/10] virtio-serial-bus: Plug memory leak on realize() error paths Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 04/10] acpi: pcihp: fix left shift undefined behavior in acpi_pcihp_eject_slot() Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 05/10] virtio-blk: delete vqs on the error path in realize() Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 06/10] virtio-iommu: avoid memleak in the unrealize Michael S. Tsirkin
2020-03-31 14:57 ` Michael S. Tsirkin [this message]
2020-03-31 14:57 ` [PULL 08/10] fix vhost_user_blk_watch crash Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 09/10] acpi: add acpi=OnOffAuto machine property to x86 and arm virt Michael S. Tsirkin
2020-03-31 14:57 ` [PULL 10/10] vhost-vsock: fix double close() in the realize() error path Michael S. Tsirkin
2020-03-31 16:56 ` [PULL 00/10] virtio, pci, pc: bugfixes, checkpatch, maintainers Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200331145631.135630-8-mst@redhat.com \
--to=mst@redhat.com \
--cc=ehabkost@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).