[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
|
From: |
Michael S. Tsirkin |
|
Subject: |
Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy() |
|
Date: |
Wed, 25 Sep 2019 09:22:28 -0400 |
On Wed, Sep 25, 2019 at 03:03:31PM +0200, Thomas Huth wrote:
> Both, "rom->addr" and "addr" are derived from the binary image
> that can be loaded with the "-kernel" paramer. The code in
> rom_copy() then calculates:
>
> d = dest + (rom->addr - addr);
>
> and uses "d" as destination in a memcpy() some lines later. Now with
> bad kernel images, it is possible that rom->addr is smaller than addr,
> thus "rom->addr - addr" gets negative and the memcpy() then tries to
> copy contents from the image to a bad memory location. In the best case,
> this just crashes QEMU, in the worst case, this could maybe be used to
> inject code from the kernel image into the QEMU binary, so we better fix
> it with an additional sanity check here.
>
> Cc: address@hidden
> Reported-by: Guangming Liu
> Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
> Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
> ---
> hw/core/loader.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/core/loader.c b/hw/core/loader.c
> index 0d60219364..5099f27dc8 100644
> --- a/hw/core/loader.c
> +++ b/hw/core/loader.c
> @@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
> if (rom->addr + rom->romsize < addr) {
> continue;
> }
> - if (rom->addr > end) {
> + if (rom->addr > end || rom->addr < addr) {
> break;
> }
>
> --
> 2.18.1