[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device i
From: |
Nelson Elhage |
Subject: |
[Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd |
Date: |
Sat, 21 May 2011 15:28:06 -0000 |
Public bug reported:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-
zero, or possibly other badness if the guest performs operations on a
non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads = sectors
= 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
New
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
[Prev in Thread] |
Current Thread |
[Next in Thread] |