qemu-e2k/softmmu
Akihiko Odaki 4a73aee881 softmmu: Use memmove in flatview_write_continue
We found a case where the source passed to flatview_write_continue() may
overlap with the destination when fuzzing igb, a new proposed network
device with sanitizers.

igb uses pci_dma_map() to get Tx packet, and pci_dma_write() to write Rx
buffer. While pci_dma_write() is usually used to write data from
memory not mapped to the guest, if igb is configured to perform
loopback, the data will be sourced from the guest memory. The source and
destination can overlap and the usage of memcpy() will be invalid in
such a case.

While we do not really have to deal with such an invalid request for
igb, detecting the overlap in igb code beforehand requires complex code,
and only covers this specific case. Instead, just replace memcpy() with
memmove() to tolerate overlaps. Using memmove() will slightly damage the
performance as it will need to check overlaps before using SIMD
instructions for copying, but the cost should be negligible, considering
the inherent complexity of flatview_write_continue().

The test cases generated by the fuzzer is available at:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/

The fixed test case is:
fuzz/crash_47dfe62d9f911bf523ff48cd441b61c0013ed805

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Acked-by: David Hildenbrand <david@redhat.com>
Message-Id: <20230131030155.18932-1-akihiko.odaki@daynix.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-28 10:32:31 -10:00
..
arch_init.c softmmu: Add qemu_init_arch_modules() 2022-03-06 13:15:42 +01:00
balloon.c
bootdevice.c machine: use QAPI struct for boot configuration 2022-05-12 12:29:43 +02:00
cpu-throttle.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
cpu-timers.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
cpus.c include/block: Untangle inclusion loops 2023-01-20 07:24:28 +01:00
datadir.c meson: Prefix each element of firmware path 2022-07-13 16:58:57 +02:00
device_tree.c device-tree: add re-randomization helper function 2022-10-27 11:34:31 +01:00
dirtylimit.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
dma-helpers.c dma-helpers: prevent dma_blk_cb() vs dma_aio_cancel() race 2023-02-23 19:49:35 +01:00
globals.c ui: Switch "-display sdl" to use the QAPI parser 2022-06-03 08:03:28 +02:00
icount.c replay: rewrite async event handling 2022-06-06 09:26:53 +02:00
ioport.c
main.c ui/cocoa: Run qemu_init in the main thread 2022-09-23 14:36:33 +02:00
memory_mapping.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
memory.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
meson.build softmmu: Extract watchpoint API from physmem.c 2023-02-27 22:29:01 +01:00
physmem.c softmmu: Use memmove in flatview_write_continue 2023-02-28 10:32:31 -10:00
qdev-monitor.c qdev: Move HMP command completion from monitor to softmmu/ 2023-02-04 07:56:54 +01:00
qemu-seccomp.c seccomp: Get actual errno value from failed seccomp functions 2022-10-26 13:32:58 +01:00
qtest.c error: Drop superfluous #include "qapi/qmp/qerror.h" 2023-02-23 13:56:14 +01:00
rtc.c replay: Simplify setting replay blockers 2023-02-23 14:10:17 +01:00
runstate-action.c
runstate-hmp-cmds.c runstate: Move HMP commands from monitor/ to softmmu/ 2023-02-04 07:56:54 +01:00
runstate.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
timers-state.h qemu/atomic: Add aligned_{int64,uint64}_t types 2021-07-21 07:45:38 -10:00
tpm-hmp-cmds.c tpm: Move HMP commands from monitor/ to softmmu/ 2023-02-04 07:56:54 +01:00
tpm.c
trace-events softmmu/dirtylimit: Implement virtual CPU throttle 2022-07-20 12:15:08 +01:00
trace.h
vl.c softmmu: Silent -Wmissing-field-initializers warning 2023-02-27 22:29:01 +01:00
watchpoint.c softmmu: Extract watchpoint API from physmem.c 2023-02-27 22:29:01 +01:00