aboutsummaryrefslogtreecommitdiff
path: root/hw/i386/amd_iommu.c
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2020-03-26 10:53:49 +0000
committerMichael S. Tsirkin <mst@redhat.com>2020-03-29 09:52:13 -0400
commit32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1 (patch)
tree8d549f917b828a6d9a76cbfe94707daf59b2219f /hw/i386/amd_iommu.c
parentde38ed300764cdee43747a2a4a9a9795696c203d (diff)
downloadqemu-32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1.zip
qemu-32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1.tar.gz
qemu-32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1.tar.bz2
hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
In the function amdvi_log_event(), we write an event log buffer entry into guest ram, whose contents are passed to the function via the "uint64_t *evt" argument. Unfortunately, a spurious '&' in the call to dma_memory_write() meant that instead of writing the event to the guest we would write the literal value of the pointer, plus whatever was in the following 8 bytes on the stack. This error was spotted by Coverity. Fix the bug by removing the '&'. Fixes: CID 1421945 Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw/i386/amd_iommu.c')
-rw-r--r--hw/i386/amd_iommu.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index b1175e5..fd75cae 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
}
if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
- &evt, AMDVI_EVENT_LEN)) {
+ evt, AMDVI_EVENT_LEN)) {
trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
}