Headline
CVE-2022-35414: Re: [PATCH v2] softmmu: Always initialize xlat in address_space_translate_for_iotlb
softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.
On Tue, 21 Jun 2022 at 16:38, Richard Henderson richard.hender…@linaro.org wrote:
The bug is an uninitialized memory read, along the translate_fail path, which results in garbage being read from iotlb_to_section, which can lead to a crash in io_readx/io_writex.
The bug may be fixed by writing any value with zero in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using the xlat’ed address returns io_mem_unassigned, as desired by the translate_fail path.
It is most useful to record the original physical page address, which will eventually be logged by memory_region_access_valid when the access is rejected by unassigned_mem_accepts.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065 Signed-off-by: Richard Henderson richard.hender…@linaro.org
Reviewed-by: Peter Maydell peter.mayd…@linaro.org
thanks – PMM
Related news
Gentoo Linux Security Advisory 202408-18 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Versions greater than or equal to 8.0.0 are affected.