[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 040/113] multiboot: Reject kernels exceeding the add
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 040/113] multiboot: Reject kernels exceeding the address space |
Date: |
Mon, 18 Jun 2018 20:42:06 -0500 |
From: Kevin Wolf <address@hidden>
The code path where mh_load_end_addr is non-zero in the Multiboot
header checks that mh_load_end_addr >= mh_load_addr and so
mb_load_size is checked. However, mb_load_size is not checked when
calculated from the file size, when mh_load_end_addr is 0.
If the kernel binary size is larger than can fit in the address space
after load_addr, we ended up with a kernel_size that is smaller than
load_size, which means that we read the file into a too small buffer.
Add a check to reject kernel files with such Multiboot headers.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Jack Schwartz <address@hidden>
(cherry picked from commit b17a9054a0652a1481be48a6729e972abf02412f)
Signed-off-by: Michael Roth <address@hidden>
---
hw/i386/multiboot.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index d9a0a95a2f..775aa5bfd0 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -247,6 +247,10 @@ int load_multiboot(FWCfgState *fw_cfg,
}
mb_load_size = kernel_file_size - mb_kernel_text_offset;
}
+ if (mb_load_size > UINT32_MAX - mh_load_addr) {
+ error_report("kernel does not fit in address space");
+ exit(1);
+ }
if (mh_bss_end_addr) {
if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
error_report("invalid bss_end_addr address");
--
2.11.0
- [Qemu-devel] [PATCH 031/113] address_space_access_valid: address_space_to_flatview needs RCU lock, (continued)
- [Qemu-devel] [PATCH 031/113] address_space_access_valid: address_space_to_flatview needs RCU lock, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 032/113] address_space_map: address_space_to_flatview needs RCU lock, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 033/113] address_space_rw: address_space_to_flatview needs RCU lock, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 035/113] migration/block: reset dirty bitmap before read in bulk phase, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 034/113] memory: fix flatview_access_valid RCU read lock/unlock imbalance, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 036/113] multiboot: bss_end_addr can be zero, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 037/113] multiboot: Remove unused variables from multiboot.c, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 038/113] multiboot: Use header names when displaying fields, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 039/113] multiboot: fprintf(stderr...) -> error_report(), Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 003/113] virtio-balloon: unref the memory region before continuing, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 040/113] multiboot: Reject kernels exceeding the address space,
Michael Roth <=
- [Qemu-devel] [PATCH 041/113] multiboot: Check validity of mh_header_addr, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 042/113] tests/multiboot: Test exit code for every qemu run, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 043/113] tests/multiboot: Add tests for the a.out kludge, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 044/113] tests/multiboot: Add .gitignore, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 046/113] virtio_net: flush uncompleted TX on reset, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 045/113] arm/translate-a64: treat DISAS_UPDATE as variant of DISAS_EXIT, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 047/113] qemu-pr-helper: Actually allow users to specify pidfile, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 049/113] iotests: Test preallocated truncate of 2G image, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 048/113] block/file-posix: Fix fully preallocated truncate, Michael Roth, 2018/06/18
- [Qemu-devel] [PATCH 050/113] tcg: Mark muluh_i64 and mulsh_i64 as 64-bit ops, Michael Roth, 2018/06/18