]> xenbits.xensource.com Git - qemu-xen.git/commit
hw/core/loader: Fix possible crash in rom_copy()
authorThomas Huth <thuth@redhat.com>
Wed, 25 Sep 2019 12:16:43 +0000 (14:16 +0200)
committerMichael Roth <mdroth@linux.vnet.ibm.com>
Mon, 4 Nov 2019 14:10:48 +0000 (08:10 -0600)
commitaae0faa5d3bee91c66dc4c1543190f55a242771e
tree664ec7ccf148f5bd38d8139b764a8fc961c63d09
parent7b404cae7fa2850d476c29258f03b8e77a5b4bd0
hw/core/loader: Fix possible crash in rom_copy()

Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:

    d = dest + (rom->addr - addr);

and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.

Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit e423455c4f23a1a828901c78fe6d03b7dde79319)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
hw/core/loader.c