[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS R
|
From: |
Anthony PERARD |
|
Subject: |
[Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much |
|
Date: |
Thu, 10 Jan 2019 13:48:53 +0000 |
From: Peter Maydell <address@hidden>
Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
the rom->size field in the BIOS ROM from a PCI passthrough VGA
device, and uses it as an index into the memory which contains
the BIOS image. A corrupt BIOS ROM could therefore cause us to
index off the end of the buffer.
Check that the size is within bounds before we use it.
We are also trusting the pcioffset field, and assuming that
the whole rom_header is present; Coverity doesn't notice these,
but check them too.
Signed-off-by: Peter Maydell <address@hidden>
Acked-by: Anthony PERARD <address@hidden>
Signed-off-by: Anthony PERARD <address@hidden>
---
hw/xen/xen_pt_graphics.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/xen/xen_pt_graphics.c b/hw/xen/xen_pt_graphics.c
index 135c8df1e7..60d6b4a556 100644
--- a/hw/xen/xen_pt_graphics.c
+++ b/hw/xen/xen_pt_graphics.c
@@ -185,8 +185,19 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s,
XenHostPCIDevice *dev,
return;
}
+ if (bios_size < sizeof(struct rom_header)) {
+ error_setg(errp, "VGA: VBIOS image corrupt (too small)");
+ return;
+ }
+
/* Currently we fixed this address as a primary. */
rom = (struct rom_header *)bios;
+
+ if (rom->pcioffset + sizeof(struct pci_data) > bios_size) {
+ error_setg(errp, "VGA: VBIOS image corrupt (bad pcioffset field)");
+ return;
+ }
+
pd = (void *)(bios + (unsigned char)rom->pcioffset);
/* We may need to fixup Device Identification. */
@@ -194,6 +205,11 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s,
XenHostPCIDevice *dev,
pd->device = s->real_device.device_id;
len = rom->size * 512;
+ if (len > bios_size) {
+ error_setg(errp, "VGA: VBIOS image corrupt (bad size field)");
+ return;
+ }
+
/* Then adjust the bios checksum */
for (c = (char *)bios; c < ((char *)bios + len); c++) {
checksum += *c;
--
Anthony PERARD
- [Qemu-devel] [PULL 00/25] xen queue, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 08/25] xen: add grant table interface for XenDevice-s, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 05/25] xen: introduce 'xen-block', 'xen-disk' and 'xen-cdrom', Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much,
Anthony PERARD <=
- [Qemu-devel] [PULL 02/25] xen/pt: allow passthrough of devices with bogus interrupt pin, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 09/25] xen: add event channel interface for XenDevice-s, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 07/25] xen: add xenstore watcher infrastructure, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 04/25] xen: introduce new 'XenBus' and 'XenDevice' object hierarchy, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 06/25] xen: create xenstore areas for XenDevice-s, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 03/25] xen: re-name XenDevice to XenLegacyDevice..., Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 19/25] MAINTAINERS: add myself as a Xen maintainer, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 12/25] xen: add header and build dataplane/xen-block.c, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 14/25] xen: remove 'ioreq' struct/varable/field names from dataplane/xen-block.c, Anthony PERARD, 2019/01/10
- [Qemu-devel] [PULL 23/25] xen-block: improve batching behaviour, Anthony PERARD, 2019/01/10