| From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001 |
| From: Hitendra Prajapati <hprajapati@mvista.com> |
| Date: Wed, 3 Aug 2022 10:11:11 +0530 |
| Subject: [PATCH] CVE-2022-35414 |
| |
| Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] |
| CVE: CVE-2022-35414 |
| Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| --- |
| softmmu/physmem.c | 13 ++++++++++++- |
| 1 file changed, 12 insertions(+), 1 deletion(-) |
| |
| diff --git a/softmmu/physmem.c b/softmmu/physmem.c |
| index 4e1b27a20..ad8a90dec 100644 |
| --- a/softmmu/physmem.c |
| +++ b/softmmu/physmem.c |
| @@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) |
| |
| /* Called from RCU critical section */ |
| MemoryRegionSection * |
| -address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, |
| +address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, |
| hwaddr *xlat, hwaddr *plen, |
| MemTxAttrs attrs, int *prot) |
| { |
| @@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, |
| IOMMUMemoryRegionClass *imrc; |
| IOMMUTLBEntry iotlb; |
| int iommu_idx; |
| + hwaddr addr = orig_addr; |
| AddressSpaceDispatch *d = |
| qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); |
| |
| @@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, |
| return section; |
| |
| translate_fail: |
| + /* |
| + * We should be given a page-aligned address -- certainly |
| + * tlb_set_page_with_attrs() does so. The page offset of xlat |
| + * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. |
| + * The page portion of xlat will be logged by memory_region_access_valid() |
| + * when this memory access is rejected, so use the original untranslated |
| + * physical address. |
| + */ |
| + assert((orig_addr & ~TARGET_PAGE_MASK) == 0); |
| + *xlat = orig_addr; |
| return &d->map.sections[PHYS_SECTION_UNASSIGNED]; |
| } |
| |
| -- |
| 2.25.1 |
| |