From: Philippe Mathieu-Daudé <phi...@linaro.org>
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.
Fixes: CVE-2024-3446
Cc: qemu-sta...@nongnu.org
Suggested-by: Alexander Bulekov <alx...@bu.edu>
Reviewed-by: Gerd Hoffmann <kra...@redhat.com>
Acked-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Message-Id: <20240409105537.18308-5-phi...@linaro.org>
(cherry picked from commit f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index b2e0646d9a..ce995c66d8 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -1057,8 +1057,8 @@ static void virtio_crypto_device_realize(DeviceState
*dev, Error **errp)
vcrypto->vqs[i].dataq =
virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
vcrypto->vqs[i].dataq_bh =
- qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
- &dev->mem_reentrancy_guard);
+ virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
+ &vcrypto->vqs[i]);
vcrypto->vqs[i].vcrypto = vcrypto;
}
--
2.39.2
