[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing
From: |
Aleksey Kuleshov |
Subject: |
[Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing |
Date: |
Mon, 15 Jan 2018 18:13:11 +0300 |
memset is not checked, so it's possible to go beyond the storage.
Add checks and truncate requested length.
Signed-off-by: Aleksey Kuleshov <address@hidden>
---
hw/block/m25p80.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index ea142160b3..18ec501912 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
uint32_t len;
uint8_t capa_to_assert = 0;
+ assert(0 <= offset && offset < s->size);
+
switch (cmd) {
case ERASE_4K:
case ERASE4_4K:
@@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n");
return;
}
+
+ if (offset + len > s->size) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "M25P80: trying to erase beyond the flash size! "
+ "Truncating the length...\n");
+ len = s->size - offset;
+ }
+
memset(s->storage + offset, 0xff, len);
flash_sync_area(s, offset, len);
}
--
2.11.0
- [Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing,
Aleksey Kuleshov <=