qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

From: Paolo Bonzini
Subject: Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
Date: Wed, 25 Sep 2019 15:51:25 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 
On 25/09/19 15:22, Michael S. Tsirkin wrote:
>> Both, "rom->addr" and "addr" are derived from the binary image
>> that can be loaded with the "-kernel" paramer. The code in
>> rom_copy() then calculates:
>> 
>>     d = dest + (rom->addr - addr);
>> 
>> and uses "d" as destination in a memcpy() some lines later. Now with
>> bad kernel images, it is possible that rom->addr is smaller than addr,
>> thus "rom->addr - addr" gets negative and the memcpy() then tries to
>> copy contents from the image to a bad memory location. In the best case,
>> this just crashes QEMU, in the worst case, this could maybe be used to
>> inject code from the kernel image into the QEMU binary, so we better fix
>> it with an additional sanity check here.
>> 
>> Cc: address@hidden
>> Reported-by: Guangming Liu
>> Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
>> Signed-off-by: Thomas Huth <address@hidden>
>
> Reviewed-by: Michael S. Tsirkin <address@hidden>

Queued, thanks.

Paolo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]