* [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
@ 2020-03-26 10:53 Peter Maydell
0 siblings, 0 replies; only message in thread
From: Peter Maydell @ 2020-03-26 10:53 UTC (permalink / raw)
To: qemu-devel; +Cc: Paolo Bonzini, Eduardo Habkost, Michael S. Tsirkin
In the function amdvi_log_event(), we write an event log buffer
entry into guest ram, whose contents are passed to the function
via the "uint64_t *evt" argument. Unfortunately, a spurious
'&' in the call to dma_memory_write() meant that instead of
writing the event to the guest we would write the literal value
of the pointer, plus whatever was in the following 8 bytes
on the stack. This error was spotted by Coverity.
Fix the bug by removing the '&'.
Fixes: CID 1421945
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Disclaimer: only tested with 'make check' and 'make check-acceptance'
which probably don't exercise this corner of the code.
---
hw/i386/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index b1175e52c7d..fd75cae0243 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
}
if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
- &evt, AMDVI_EVENT_LEN)) {
+ evt, AMDVI_EVENT_LEN)) {
trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
}
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-26 10:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-26 10:53 [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).