1From ee76e64ee1cb232b77652b21cc94ec6b6c7e4b13 Mon Sep 17 00:00:00 2001 2From: Hitendra Prajapati <hprajapati@mvista.com> 3Date: Wed, 27 Jul 2022 10:49:47 +0530 4Subject: [PATCH] CVE-2022-35414 5 6Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] 7CVE: CVE-2022-35414 8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 9--- 10 softmmu/physmem.c | 13 ++++++++++++- 11 1 file changed, 12 insertions(+), 1 deletion(-) 12 13diff --git a/softmmu/physmem.c b/softmmu/physmem.c 14index 3524c04c2..3c467527d 100644 15--- a/softmmu/physmem.c 16+++ b/softmmu/physmem.c 17@@ -667,7 +667,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) 18 19 /* Called from RCU critical section */ 20 MemoryRegionSection * 21-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, 22+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, 23 hwaddr *xlat, hwaddr *plen, 24 MemTxAttrs attrs, int *prot) 25 { 26@@ -676,6 +676,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, 27 IOMMUMemoryRegionClass *imrc; 28 IOMMUTLBEntry iotlb; 29 int iommu_idx; 30+ hwaddr addr = orig_addr; 31 AddressSpaceDispatch *d = 32 qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); 33 34@@ -720,6 +721,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, 35 return section; 36 37 translate_fail: 38+ /* 39+ * We should be given a page-aligned address -- certainly 40+ * tlb_set_page_with_attrs() does so. The page offset of xlat 41+ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. 42+ * The page portion of xlat will be logged by memory_region_access_valid() 43+ * when this memory access is rejected, so use the original untranslated 44+ * physical address. 45+ */ 46+ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); 47+ *xlat = orig_addr; 48 return &d->map.sections[PHYS_SECTION_UNASSIGNED]; 49 } 50 51-- 522.25.1 53 54