CVE-2020-13659: Re: [PATCH v4] exec: set map length to zero when returning NULL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Philippe Mathieu-Daudé

Subject:

Re: [PATCH v4] exec: set map length to zero when returning NULL

Date:

Tue, 26 May 2020 13:21:50 +0200

User-agent:

Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0

On 5/26/20 1:17 PM, P J P wrote:

From: Prasad J Pandit address@hidden

When mapping physical memory into host’s virtual address space, ‘address_space_map’ may return NULL if BounceBuffer is in_use. Set and return ‘*plen = 0’ to avoid later NULL pointer dereference.

Reported-by: Alexander Bulekov address@hidden Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 Suggested-by: Paolo Bonzini address@hidden Suggested-by: Peter Maydell address@hidden Signed-off-by: Prasad J Pandit address@hidden — exec.c | 1 + include/exec/memory.h | 3 +± 2 files changed, 3 insertions(+), 1 deletion(-)

Update v4: update address_space_map API doc text -> https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07281.html

diff --git a/exec.c b/exec.c index 5162f0d12f…4eea84bf66 100644 — a/exec.c +++ b/exec.c @@ -3538,6 +3538,7 @@ void *address_space_map(AddressSpace *as,

 _if (!memory\_access\_is\_direct(mr, is\_write)) {_
     _if (atomic\_xchg(&bounce.in\_use, true)) {_

+ *plen = 0;

Reviewed-by: Philippe Mathieu-Daudé address@hidden

         _return NULL;_
     _}_
     _/\* Avoid unbounded allocations \*/_

diff --git a/include/exec/memory.h b/include/exec/memory.h index e000bd2f97…8fa2d3cab2 100644 — a/include/exec/memory.h +++ b/include/exec/memory.h @@ -2303,7 +2303,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, /* address_space_map: map a physical memory region into a host virtual address * * May map a subset of the requested range, given by and returned in @plen. - * May return %NULL if resources needed to perform the mapping are exhausted. + * May return %NULL and set *@plen to zero(0), if resources needed to perform + * the mapping are exhausted. * Use only for reads OR writes - not for read-modify-write operations. * Use cpu_register_map_client() to know when retrying the map operation is * likely to succeed.

• [PATCH v4] exec: set map length to zero when returning NULL, P J P, 2020/05/26

  • Re: [PATCH v4] exec: set map length to zero when returning NULL, Philippe Mathieu-Daudé <=

• Prev by Date: [PATCH v4] exec: set map length to zero when returning NULL

• Next by Date: Re: [PATCH 50/55] s390x/event-facility: Simplify creation of SCLP event devices

• Previous by thread: [PATCH v4] exec: set map length to zero when returning NULL

• Index(es):

  • Date
  • Thread