[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
From: |
Paolo Bonzini |
Subject: |
Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy() |
Date: |
Wed, 25 Sep 2019 15:51:25 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 |
On 25/09/19 15:22, Michael S. Tsirkin wrote:
>> Both, "rom->addr" and "addr" are derived from the binary image
>> that can be loaded with the "-kernel" paramer. The code in
>> rom_copy() then calculates:
>>
>> d = dest + (rom->addr - addr);
>>
>> and uses "d" as destination in a memcpy() some lines later. Now with
>> bad kernel images, it is possible that rom->addr is smaller than addr,
>> thus "rom->addr - addr" gets negative and the memcpy() then tries to
>> copy contents from the image to a bad memory location. In the best case,
>> this just crashes QEMU, in the worst case, this could maybe be used to
>> inject code from the kernel image into the QEMU binary, so we better fix
>> it with an additional sanity check here.
>>
>> Cc: address@hidden
>> Reported-by: Guangming Liu
>> Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
>> Signed-off-by: Thomas Huth <address@hidden>
>
> Reviewed-by: Michael S. Tsirkin <address@hidden>
Queued, thanks.
Paolo