Patrick Williams | db4c27e | 2022-08-05 08:10:29 -0500 | [diff] [blame^] | 1 | From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001 |
| 2 | From: Hitendra Prajapati <hprajapati@mvista.com> |
| 3 | Date: Wed, 3 Aug 2022 10:11:11 +0530 |
| 4 | Subject: [PATCH] CVE-2022-35414 |
| 5 | |
| 6 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] |
| 7 | CVE: CVE-2022-35414 |
| 8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| 9 | --- |
| 10 | softmmu/physmem.c | 13 ++++++++++++- |
| 11 | 1 file changed, 12 insertions(+), 1 deletion(-) |
| 12 | |
| 13 | diff --git a/softmmu/physmem.c b/softmmu/physmem.c |
| 14 | index 4e1b27a20..ad8a90dec 100644 |
| 15 | --- a/softmmu/physmem.c |
| 16 | +++ b/softmmu/physmem.c |
| 17 | @@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) |
| 18 | |
| 19 | /* Called from RCU critical section */ |
| 20 | MemoryRegionSection * |
| 21 | -address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, |
| 22 | +address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, |
| 23 | hwaddr *xlat, hwaddr *plen, |
| 24 | MemTxAttrs attrs, int *prot) |
| 25 | { |
| 26 | @@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, |
| 27 | IOMMUMemoryRegionClass *imrc; |
| 28 | IOMMUTLBEntry iotlb; |
| 29 | int iommu_idx; |
| 30 | + hwaddr addr = orig_addr; |
| 31 | AddressSpaceDispatch *d = |
| 32 | qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); |
| 33 | |
| 34 | @@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, |
| 35 | return section; |
| 36 | |
| 37 | translate_fail: |
| 38 | + /* |
| 39 | + * We should be given a page-aligned address -- certainly |
| 40 | + * tlb_set_page_with_attrs() does so. The page offset of xlat |
| 41 | + * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. |
| 42 | + * The page portion of xlat will be logged by memory_region_access_valid() |
| 43 | + * when this memory access is rejected, so use the original untranslated |
| 44 | + * physical address. |
| 45 | + */ |
| 46 | + assert((orig_addr & ~TARGET_PAGE_MASK) == 0); |
| 47 | + *xlat = orig_addr; |
| 48 | return &d->map.sections[PHYS_SECTION_UNASSIGNED]; |
| 49 | } |
| 50 | |
| 51 | -- |
| 52 | 2.25.1 |
| 53 | |