[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v1] exec: check the range in the address_space_unmap
From: |
Dima Stepanov |
Subject: |
[Qemu-devel] [PATCH v1] exec: check the range in the address_space_unmap routine |
Date: |
Fri, 22 Mar 2019 16:01:59 +0300 |
User-agent: |
Mutt/1.5.24 (2015-08-30) |
In case of the virtio-blk communication, can get the following assertion
for the specifically crafted virtio packet:
qemu-system-x86_64: exec.c:3725: address_space_unmap: Assertion `mr !=
NULL' failed.
This assertion is triggered if the length of the first descriptor in the
block request chain (block command descriptor) is more than block command
size. In this case the hw/block/virtio-blk.c:virtio_blk_handle_request()
routine calls the iov_discard_front() function and the iov base and size
are changed. As a result the address can not be found during the
address_space_unmap() call.
The fix is to check the whole address range in the address_space_unmap
function.
Signed-off-by: Dima Stepanov <address@hidden>
---
exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/exec.c b/exec.c
index 86a38d3..0eeb018 100644
--- a/exec.c
+++ b/exec.c
@@ -3717,7 +3717,7 @@ void *address_space_map(AddressSpace *as,
void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
int is_write, hwaddr access_len)
{
- if (buffer != bounce.buffer) {
+ if ((buffer < bounce.buffer) || (buffer + access_len > bounce.buffer +
bounce.len)) {
MemoryRegion *mr;
ram_addr_t addr1;
--
2.7.4
- [Qemu-devel] [PATCH v1] exec: check the range in the address_space_unmap routine,
Dima Stepanov <=