[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 4/5] hw/core/loader: Fix possible crash in rom_copy()
From: |
Thomas Huth |
Subject: |
[PULL 4/5] hw/core/loader: Fix possible crash in rom_copy() |
Date: |
Tue, 1 Oct 2019 12:50:56 +0200 |
Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:
d = dest + (rom->addr - addr);
and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.
Cc: address@hidden
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Thomas Huth <address@hidden>
---
hw/core/loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/core/loader.c b/hw/core/loader.c
index 0d60219364..5099f27dc8 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
if (rom->addr + rom->romsize < addr) {
continue;
}
- if (rom->addr > end) {
+ if (rom->addr > end || rom->addr < addr) {
break;
}
--
2.18.1
- [PULL 0/5] qtest and misc patches, Thomas Huth, 2019/10/01
- [PULL 2/5] tests: fix echi/ehci typo, Thomas Huth, 2019/10/01
- [PULL 5/5] Disallow colons in the parameter of "-accel", Thomas Huth, 2019/10/01
- [PULL 1/5] tests: fix usb-hcd-ehci-test compilation, Thomas Huth, 2019/10/01
- [PULL 4/5] hw/core/loader: Fix possible crash in rom_copy(),
Thomas Huth <=
- [PULL 3/5] hw/m68k/next-cube: Avoid static RTC variables and introduce control register, Thomas Huth, 2019/10/01
- Re: [PULL 0/5] qtest and misc patches, Peter Maydell, 2019/10/01