From nobody Sat Nov 1 22:28:56 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1527497157864945.7205295454659; Mon, 28 May 2018 01:45:57 -0700 (PDT) Received: from localhost ([::1]:54856 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fNDmp-0000Zt-BA for importer@patchew.org; Mon, 28 May 2018 04:45:51 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50751) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fNDlq-0008T7-Mm for qemu-devel@nongnu.org; Mon, 28 May 2018 04:44:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fNDlp-0003tB-Jd for qemu-devel@nongnu.org; Mon, 28 May 2018 04:44:50 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:2102 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fNDlj-0003pA-Ni; Mon, 28 May 2018 04:44:44 -0400 Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 4CCC44C3BC396; Mon, 28 May 2018 16:44:26 +0800 (CST) Received: from HGHY1Z002260041.china.huawei.com (10.177.16.142) by DGGEMS403-HUB.china.huawei.com (10.3.19.203) with Microsoft SMTP Server id 14.3.382.0; Mon, 28 May 2018 16:44:18 +0800 From: Shannon Zhao To: Date: Mon, 28 May 2018 16:42:26 +0800 Message-ID: <1527496946-12036-1-git-send-email-zhaoshenglong@huawei.com> X-Mailer: git-send-email 1.9.0.msysgit.0 MIME-Version: 1.0 X-Originating-IP: [10.177.16.142] X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 45.249.212.191 Subject: [Qemu-devel] [PATCH] ARM: ACPI: Fix use-after-free due to memory realloc X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Shannon Zhao , peter.maydell@linaro.org, shannon.zhaosl@gmail.com, qemu-devel@nongnu.org, eric.auger@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" acpi_data_push uses g_array_set_size to resize the memory size. If there is no enough contiguous memory, the address will be changed. So previous pointer could not be used any more. It must update the pointer and use the new one. Signed-off-by: Shannon Zhao Reviewed-by: Eric Auger Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/arm/virt-acpi-build.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c index 92ceee9..30584ee 100644 --- a/hw/arm/virt-acpi-build.c +++ b/hw/arm/virt-acpi-build.c @@ -400,7 +400,7 @@ build_iort(GArray *table_data, BIOSLinker *linker, Virt= MachineState *vms) AcpiIortItsGroup *its; AcpiIortTable *iort; AcpiIortSmmu3 *smmu; - size_t node_size, iort_length, smmu_offset =3D 0; + size_t node_size, iort_node_offset, iort_length, smmu_offset =3D 0; AcpiIortRC *rc; =20 iort =3D acpi_data_push(table_data, sizeof(*iort)); @@ -414,6 +414,7 @@ build_iort(GArray *table_data, BIOSLinker *linker, Virt= MachineState *vms) iort_length =3D sizeof(*iort); iort->node_count =3D cpu_to_le32(nb_nodes); iort->node_offset =3D cpu_to_le32(sizeof(*iort)); + iort_node_offset =3D iort->node_offset; =20 /* ITS group node */ node_size =3D sizeof(*its) + sizeof(uint32_t); @@ -429,7 +430,7 @@ build_iort(GArray *table_data, BIOSLinker *linker, Virt= MachineState *vms) int irq =3D vms->irqmap[VIRT_SMMU]; =20 /* SMMUv3 node */ - smmu_offset =3D iort->node_offset + node_size; + smmu_offset =3D iort_node_offset + node_size; node_size =3D sizeof(*smmu) + sizeof(*idmap); iort_length +=3D node_size; smmu =3D acpi_data_push(table_data, node_size); @@ -450,7 +451,7 @@ build_iort(GArray *table_data, BIOSLinker *linker, Virt= MachineState *vms) idmap->id_count =3D cpu_to_le32(0xFFFF); idmap->output_base =3D 0; /* output IORT node is the ITS group node (the first node) */ - idmap->output_reference =3D cpu_to_le32(iort->node_offset); + idmap->output_reference =3D cpu_to_le32(iort_node_offset); } =20 /* Root Complex Node */ @@ -479,9 +480,14 @@ build_iort(GArray *table_data, BIOSLinker *linker, Vir= tMachineState *vms) idmap->output_reference =3D cpu_to_le32(smmu_offset); } else { /* output IORT node is the ITS group node (the first node) */ - idmap->output_reference =3D cpu_to_le32(iort->node_offset); + idmap->output_reference =3D cpu_to_le32(iort_node_offset); } =20 + /* + * Update the pointer address in case table_data->data moved during ab= ove + * acpi_data_push operations. + */ + iort =3D (AcpiIortTable *)(table_data->data + iort_start); iort->length =3D cpu_to_le32(iort_length); =20 build_header(linker, table_data, (void *)(table_data->data + iort_star= t), --=20 2.0.4