[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy()
|
From: |
Michael Roth |
|
Subject: |
[PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy() |
|
Date: |
Tue, 1 Oct 2019 18:46:15 -0500 |
From: Thomas Huth <address@hidden>
Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:
d = dest + (rom->addr - addr);
and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.
Cc: address@hidden
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Thomas Huth <address@hidden>
(cherry picked from commit e423455c4f23a1a828901c78fe6d03b7dde79319)
Signed-off-by: Michael Roth <address@hidden>
---
hw/core/loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/core/loader.c b/hw/core/loader.c
index fe5cb24122..4ef2095247 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -1240,7 +1240,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
if (rom->addr + rom->romsize < addr) {
continue;
}
- if (rom->addr > end) {
+ if (rom->addr > end || rom->addr < addr) {
break;
}
--
2.17.1
- [PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input, (continued)
- [PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input, Michael Roth, 2019/10/01
- [PATCH 78/97] iotests: Add supported protocols to execute_test(), Michael Roth, 2019/10/01
- [PATCH 52/97] virtio-balloon: Use temporary PBP only, Michael Roth, 2019/10/01
- [PATCH 54/97] virtio-balloon: free pbp more aggressively, Michael Roth, 2019/10/01
- [PATCH 73/97] target/arm: Don't abort on M-profile exception return in linux-user mode, Michael Roth, 2019/10/01
- [PATCH 94/97] slirp: ip_reass: Fix use after free, Michael Roth, 2019/10/01
- [PATCH 83/97] block/create: Do not abort if a block driver is not available, Michael Roth, 2019/10/01
- [PATCH 17/97] block: Drain source node in bdrv_replace_node(), Michael Roth, 2019/10/01
- [PATCH 80/97] iotests: Restrict nbd Python tests to nbd, Michael Roth, 2019/10/01
- [PATCH 90/97] curl: Report only ready sockets, Michael Roth, 2019/10/01
- [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy(),
Michael Roth <=
- [PATCH 97/97] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068), Michael Roth, 2019/10/01
- [PATCH 10/97] spapr/xive: fix EQ page addresses above 64GB, Michael Roth, 2019/10/01
- [PATCH 66/97] iotests: Test incremental backup after truncation, Michael Roth, 2019/10/01
- [PATCH 64/97] iotests: Test backup job with two guest writes, Michael Roth, 2019/10/01
- [PATCH 68/97] iotests: Test unaligned blocking mirror write, Michael Roth, 2019/10/01
- [PATCH 07/97] cutils: Fix size_to_str() on 32-bit platforms, Michael Roth, 2019/10/01
- [PATCH 72/97] dma-helpers: ensure AIO callback is invoked after cancellation, Michael Roth, 2019/10/01
- [PATCH 62/97] block/backup: refactor: split out backup_calculate_cluster_size, Michael Roth, 2019/10/01
- [PATCH 08/97] Makefile: add nit-picky mode to sphinx-build, Michael Roth, 2019/10/01
- [PATCH 04/97] megasas: fix mapped frame size, Michael Roth, 2019/10/01