From patchwork Wed Feb 23 14:36:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: wliang@stu.xidian.edu.cn X-Patchwork-Id: 12757133 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 07E1AC433EF for ; Wed, 23 Feb 2022 15:52:51 +0000 (UTC) Received: from localhost ([::1]:48836 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nMtwg-0002zi-1Y for qemu-devel@archiver.kernel.org; Wed, 23 Feb 2022 10:52:50 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54098) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMskW-0003Zg-Su for qemu-devel@nongnu.org; Wed, 23 Feb 2022 09:36:12 -0500 Received: from zg8tmtm4lje5ny4xodqumjaa.icoremail.net ([138.197.184.20]:52946) by eggs.gnu.org with smtp (Exim 4.90_1) (envelope-from ) id 1nMskT-000616-R5 for qemu-devel@nongnu.org; Wed, 23 Feb 2022 09:36:11 -0500 Received: by ajax-webmail-sr0414.icoremail.net (Coremail) ; Wed, 23 Feb 2022 22:36:04 +0800 (GMT+08:00) X-Originating-IP: [39.130.79.173] Date: Wed, 23 Feb 2022 22:36:04 +0800 (GMT+08:00) X-CM-HeaderCharset: UTF-8 From: wliang@stu.xidian.edu.cn To: "qemu-devel@nongnu.org" Subject: Fix a potential Use-after-free in virtio_iommu_handle_command() (v6.2.0). X-Priority: 3 X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20210401(fdb522e2) Copyright (c) 2002-2022 www.mailtech.cn mispb-ac60dc67-ddbe-4478-9127-1d3314495f10-icoremail.net MIME-Version: 1.0 Message-ID: <1b79118e.25c5.17f2702b9d5.Coremail.wliang@stu.xidian.edu.cn> X-Coremail-Locale: zh_CN X-CM-TRANSID: AQAAfwBXSwJURhZilcQKAA--.4016W X-CM-SenderInfo: pzolt0vj6v33wo0lvxldqovvfxof0/1tbiAQMMA1wR-vU9jgABs5 X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU= Received-SPF: pass client-ip=138.197.184.20; envelope-from=wliang@stu.xidian.edu.cn; helo=zg8tmtm4lje5ny4xodqumjaa.icoremail.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 23 Feb 2022 10:48:08 -0500 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi all, I find a potential Use-after-free in QEMU 6.2.0, which is in virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c). Specifically, in the loop body, the variable 'buf' allocated at line 639 can be freed by g_free() at line 659. However, if the execution path enters the loop body again and the if branch takes true at line 616, the control will directly jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not assigned with an allocated memory but used at line 653. As a result, a UAF bug is triggered. 599 for (;;) { ... 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head)); 616 if (unlikely(sz != sizeof(head))) { 617 tail.status = VIRTIO_IOMMU_S_DEVERR; 618 goto out; 619 } ... 639 buf = g_malloc0(output_size); ... 651out: 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0, 653 buf ? buf : &tail, output_size); ... 659 g_free(buf); 660 } We can fix it by set ‘buf‘ to NULL after freeing it: 651out: 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0, 653 buf ? buf : &tail, output_size); ... 659 g_free(buf); +++buf = NULL; 660 } I'm looking forward to your confirmation. Best, Wentao --- ./hw/virtio/virtio-iommu.c 2022-02-23 15:06:32.040727196 +0800 +++ ./hw/virtio/virtio-iommu-PATCH.c 2022-02-23 21:12:24.605032121 +0800 @@ -657,6 +657,7 @@ virtio_notify(vdev, vq); g_free(elem); g_free(buf); + buf = NULL; } }