[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 786208] Re: Missing checks for non-existent device in
|
From: |
John Snow |
|
Subject: |
[Qemu-devel] [Bug 786208] Re: Missing checks for non-existent device in ide_exec_cmd |
|
Date: |
Wed, 31 Aug 2016 18:36:29 -0000 |
** Changed in: qemu
Assignee: (unassigned) => John Snow (jnsnow)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
New
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786208/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [Bug 786208] Re: Missing checks for non-existent device in ide_exec_cmd,
John Snow <=