From nobody Fri Apr 3 17:34:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1774316277; cv=none; d=zohomail.com; s=zohoarc; b=g/X6aznBuXv69ZBZDTG9PpfHdO/l4uwg8k0BXxpU9ZKgPUyu8ZyQzl2sNRn2zavpZo+eBqcqUviGDhGcHoa8mQ3zzvFmcB5+tufKNNRx1safjQZbMxOxf+sSW/Ar4tQKyn4bzFdrl4G3L6n5Um3Nnptv5oMMIQC4VD2gQpbpK/o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1774316277; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=aYkkQck6YG39fHMJHWRdiWiTCdf7HBJgcd3FMbKv8mY=; b=gWmtRKAJzvoXmPPxfDfaQ5O/ohDc5gPuHVBHqmBdOYVXqIYvEbXpQla2mzJlea0VFRCcpGF1/LfkwUl8cm7ARbSQtwqX/BXjGIfVhX2a/O9VHglvIF4VwKIpB+ynTtaNq9Lp6pBbvzAFXoYc1nhwIH4twe9SYh2q8O2PLxEF4/E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1774316277921439.6860433996203; Mon, 23 Mar 2026 18:37:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w4qhk-0004Ei-SG; Mon, 23 Mar 2026 21:37:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w4qhf-0004EL-8u for qemu-devel@nongnu.org; Mon, 23 Mar 2026 21:37:09 -0400 Received: from mgamail.intel.com ([192.198.163.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w4qhX-0007mp-Pq for qemu-devel@nongnu.org; Mon, 23 Mar 2026 21:37:03 -0400 Received: from fmviesa006.fm.intel.com ([10.60.135.146]) by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Mar 2026 18:36:54 -0700 Received: from lxy-clx-4s.sh.intel.com ([10.239.48.22]) by fmviesa006.fm.intel.com with ESMTP; 23 Mar 2026 18:36:52 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1774316220; x=1805852220; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=8MoQj/Jwj/c46KuWxiQseY4hG9a2CoIudL7iHqewPug=; b=LsNQfcAVVB8l9NU7WZN5cozzQcRfHv0bJIOFSPhki2oHgspeaV0qGAAx ZW2pCRhElPlXekANiVtlRg6J0JVvX1/3qh6JxgtIUJOPXafW0uwVjM2Ks F++d+0Z1WoTDMxuV075APGK0PjiOLROYRT4ZBPjK8jvDr650oX2Y2qrHD XT6vN4dXUqL1GFCFM4xzvoaxHARwyZN9OzUVhq67WWtfOtlX6uUnYpoe8 w/Wg4uQS3Zi7kEWaQyid4eBYJNVeMepymvfbrt+s/gL+F+z0uyu4nQ8Fy xC3rpcZloH0kqsAdN7Us3kwUkHfZofDXiqEhOw57hsLjQ2YhEAw89L8yu A==; X-CSE-ConnectionGUID: mWe/HoBBS8aEF6bJFbaneA== X-CSE-MsgGUID: /BJX1I6aSo65cdo07VzBqQ== X-IronPort-AV: E=McAfee;i="6800,10657,11738"; a="77933590" X-IronPort-AV: E=Sophos;i="6.23,138,1770624000"; d="scan'208";a="77933590" X-CSE-ConnectionGUID: DiwySRPfSe63jLxGMhsJ0A== X-CSE-MsgGUID: 86lxT+xnTfCOqgcVq2Xh+Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,138,1770624000"; d="scan'208";a="219328888" From: Xiaoyao Li To: Paolo Bonzini Cc: Marcelo Tosatti , qemu-devel@nongnu.org, xiaoyao.li@intel.com, Stefan Weil Subject: [PATCH] i386/tdx: Fix the UAF issue in tdx_fetch_cpuid() Date: Tue, 24 Mar 2026 09:23:13 +0800 Message-ID: <20260324012313.1580760-1-xiaoyao.li@intel.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=192.198.163.13; envelope-from=xiaoyao.li@intel.com; helo=mgamail.intel.com X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.999, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1774316282587158500 Content-Type: text/plain; charset="utf-8" Fix the UAF issue by reading the returned size before freeing the fetch_cpuid structure. Link: https://lore.kernel.org/r/758d7f2c-938f-49cb-89fc-980fc8e020b2@weilne= tz.de Reported-by: Stefan Weil Signed-off-by: Xiaoyao Li --- target/i386/kvm/tdx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c index 4cae99c281ac..e578110df4da 100644 --- a/target/i386/kvm/tdx.c +++ b/target/i386/kvm/tdx.c @@ -847,8 +847,8 @@ static struct kvm_cpuid2 *tdx_fetch_cpuid(CPUState *cpu= , int *ret) fetch_cpuid->nent =3D size; r =3D tdx_vcpu_ioctl(cpu, KVM_TDX_GET_CPUID, 0, fetch_cpuid, &loca= l_err); if (r =3D=3D -E2BIG) { - g_free(fetch_cpuid); size =3D fetch_cpuid->nent; + g_free(fetch_cpuid); } } while (r =3D=3D -E2BIG); =20 --=20 2.43.0