diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2020-03-26 10:53:49 +0000 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2020-06-09 21:00:52 -0500 |
| commit | 33be7aa9b6bea692e7ba615db1c97820051dc435 (patch) | |
| tree | 5e9448f9de9ca54937ff1a9878c0b4b032bea7e4 | |
| parent | 8f5728cb97f25c9bfe86dc4b2eaa2156ebcc0c15 (diff) | |
hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
In the function amdvi_log_event(), we write an event log buffer
entry into guest ram, whose contents are passed to the function
via the "uint64_t *evt" argument. Unfortunately, a spurious
'&' in the call to dma_memory_write() meant that instead of
writing the event to the guest we would write the literal value
of the pointer, plus whatever was in the following 8 bytes
on the stack. This error was spotted by Coverity.
Fix the bug by removing the '&'.
Fixes: CID 1421945
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| -rw-r--r-- | hw/i386/amd_iommu.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c index d55dbf07fc..ac5f2fddc5 100644 --- a/hw/i386/amd_iommu.c +++ b/hw/i386/amd_iommu.c @@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt) } if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail, - &evt, AMDVI_EVENT_LEN)) { + evt, AMDVI_EVENT_LEN)) { trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail); } |