[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/2] Fix integer overflows in loading of large images
From: |
Jamie Iles |
Subject: |
[PATCH 0/2] Fix integer overflows in loading of large images |
Date: |
Thu, 11 Nov 2021 14:11:39 +0000 |
Most of the loader code currently uses a ssize_t or 64 bit integer type
to store image lengths, but many functions that handle loading return an
int with a negative value on error or length on success. Once an image
exceeds 2GB this will cause an integer overflow and so can end up
loading truncated images, silently failing to load an image (a 4GB image
would be interpreted as 0 bytes long).
This is unlikely to affect many deployments, but can manifest when
preloading RAM disks for example.
This builds upon 8975eb891fb6 ("hw/elf_ops.h: switch to ssize_t for elf
loader return type") to cover more of the generic loader.
Jamie Iles (2):
hw/core/loader: return image sizes as ssize_t
hw/core/loader: workaround read() size limit.
hw/arm/armv7m.c | 2 +-
hw/arm/boot.c | 8 +--
hw/core/generic-loader.c | 2 +-
hw/core/loader.c | 121 ++++++++++++++++++++++++---------------
hw/i386/x86.c | 2 +-
hw/riscv/boot.c | 5 +-
include/hw/loader.h | 55 +++++++++---------
7 files changed, 114 insertions(+), 81 deletions(-)
--
2.30.2
- [PATCH 0/2] Fix integer overflows in loading of large images,
Jamie Iles <=
- [PATCH 2/2] hw/core/loader: workaround read() size limit., Jamie Iles, 2021/11/11
- Re: [PATCH 2/2] hw/core/loader: workaround read() size limit., Philippe Mathieu-Daudé, 2021/11/11
- Re: [PATCH 2/2] hw/core/loader: workaround read() size limit., Jamie Iles, 2021/11/11
- Re: [PATCH 2/2] hw/core/loader: workaround read() size limit., Philippe Mathieu-Daudé, 2021/11/11
- Re: [PATCH 2/2] hw/core/loader: workaround read() size limit., Philippe Mathieu-Daudé, 2021/11/11
- Re: [PATCH 2/2] hw/core/loader: workaround read() size limit., Jamie Iles, 2021/11/11
- Re: [PATCH 2/2] hw/core/loader: workaround read() size limit., Jamie Iles, 2021/11/30
[PATCH 1/2] hw/core/loader: return image sizes as ssize_t, Jamie Iles, 2021/11/11