summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhilippe Mathieu-Daudé2020-07-18 09:28:54 +0200
committerJohn Snow2020-10-01 19:04:16 +0200
commit1d1c4bdb736688b20d864831b90c07dc59c7b10c (patch)
treecc89c8febd7d6833debb7ade7bd61e4fabc5a063
parentMAINTAINERS: Update my git address (diff)
downloadqemu-1d1c4bdb736688b20d864831b90c07dc59c7b10c.tar.gz
qemu-1d1c4bdb736688b20d864831b90c07dc59c7b10c.tar.xz
qemu-1d1c4bdb736688b20d864831b90c07dc59c7b10c.zip
hw/ide/ahci: Do not dma_memory_unmap(NULL)
libFuzzer triggered the following assertion: cat << EOF | qemu-system-i386 -M pc-q35-5.0 \ -nographic -monitor none -serial none -qtest stdio outl 0xcf8 0x8000fa24 outl 0xcfc 0xe1068000 outl 0xcf8 0x8000fa04 outw 0xcfc 0x7 outl 0xcf8 0x8000fb20 write 0xe1068304 0x1 0x21 write 0xe1068318 0x1 0x21 write 0xe1068384 0x1 0x21 write 0xe1068398 0x2 0x21 EOF qemu-system-i386: exec.c:3621: address_space_unmap: Assertion `mr != NULL' failed. Aborted (core dumped) This is because we don't check the return value from dma_memory_map() which can return NULL, then we call dma_memory_unmap(NULL) which is illegal. Fix by only unmap if the value is not NULL (and the size is not the expected one). Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20200718072854.7001-1-f4bug@amsat.org Fixes: f6ad2e32f8 ("ahci: add ahci emulation") BugLink: https://bugs.launchpad.net/qemu/+bug/1884693 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com>
-rw-r--r--hw/ide/ahci.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index ee1d47ff75..680304a24c 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -250,7 +250,7 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr,
}
*ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE);
- if (len < wanted) {
+ if (len < wanted && *ptr) {
dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len);
*ptr = NULL;
}