On Wed, Sep 16, 2020 at 11:38:36PM +0800, Li Qiang wrote:
> Stefan Hajnoczi 于2020年8月12日周三 下午6:51写道:
> > @@ -644,7 +648,8 @@ static int virtio_blk_handle_request(VirtIOBlockReq
> > *req, MultiReqBuffer *mrb)
> > req->in = (void *)in_iov[in_num - 1].iov_base
> >+ in_iov[in_num
Stefan Hajnoczi 于2020年8月12日周三 下午6:51写道:
>
> Fuzzing discovered that virtqueue_unmap_sg() is being called on modified
> req->in/out_sg iovecs. This means dma_memory_map() and
> dma_memory_unmap() calls do not have matching memory addresses.
>
> Fuzzing discovered that non-RAM addresses trigger a
Fuzzing discovered that virtqueue_unmap_sg() is being called on modified
req->in/out_sg iovecs. This means dma_memory_map() and
dma_memory_unmap() calls do not have matching memory addresses.
Fuzzing discovered that non-RAM addresses trigger a bug:
void address_space_unmap(AddressSpace *as,
