qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device i


From: Nelson Elhage
Subject: [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd
Date: Sat, 21 May 2011 15:28:06 -0000

Public bug reported:

Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-
zero, or possibly other badness if the guest performs operations on a
non-existent IDE master.

For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads = sectors
= 0.

And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.

I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208

Title:
  Missing checks for non-existent device in ide_exec_cmd

Status in QEMU:
  New

Bug description:
  Several calls in the ide_exec_cmd handler are missing checks for
  (!s->bs) or similar, resulting in NULL pointer dereferences, divide-
  by-zero, or possibly other badness if the guest performs operations on
  a non-existent IDE master.

  For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
  s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
  s->sectors);', which will fail with a divide-by-zero if heads =
  sectors = 0.

  And WIN_MULTREAD also does not check for s->bs, but does a
  'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
  s->io_buffer, n);' on a NULL s->bs, leading to a segfault.

  I do not *believe* that a malicious guest can do anything more than
  cause a crash with these bugs.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]