diff options
| author | Jason Wang | 2021-09-02 07:44:12 +0200 |
|---|---|---|
| committer | Jason Wang | 2021-09-17 10:07:52 +0200 |
| commit | bedd7e93d01961fcb16a97ae45d93acf357e11f6 (patch) | |
| tree | 720259ddf32094dee2e3267552dd25c648426712 /docs/devel | |
| parent | ebpf: only include in system emulators (diff) | |
| download | qemu-bedd7e93d01961fcb16a97ae45d93acf357e11f6.tar.gz qemu-bedd7e93d01961fcb16a97ae45d93acf357e11f6.tar.xz qemu-bedd7e93d01961fcb16a97ae45d93acf357e11f6.zip | |
virtio-net: fix use after unmap/free for sg
When mergeable buffer is enabled, we try to set the num_buffers after
the virtqueue elem has been unmapped. This will lead several issues,
E.g a use after free when the descriptor has an address which belongs
to the non direct access region. In this case we use bounce buffer
that is allocated during address_space_map() and freed during
address_space_unmap().
Fixing this by storing the elems temporarily in an array and delay the
unmap after we set the the num_buffers.
This addresses CVE-2021-3748.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: fbe78f4f55c6 ("virtio-net support")
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'docs/devel')
0 files changed, 0 insertions, 0 deletions