[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 20/45] hw/i386: Improve bounds checking in OVMF table parsing
From: |
Michael S. Tsirkin |
Subject: |
[PULL 20/45] hw/i386: Improve bounds checking in OVMF table parsing |
Date: |
Fri, 4 Mar 2022 08:39:54 -0500 |
From: Dov Murik <dovmurik@linux.ibm.com>
When pc_system_parse_ovmf_flash() parses the optional GUIDed table in
the end of the OVMF flash memory area, the table length field is checked
for sizes that are too small, but doesn't error on sizes that are too
big (bigger than the flash content itself).
Add a check for maximal size of the OVMF table, and add an error report
in case the size is invalid. In such a case, an error like this will be
displayed during launch:
qemu-system-x86_64: OVMF table has invalid size 4047
and the table parsing is skipped.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Message-Id: <20220222071906.2632426-2-dovmurik@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
hw/i386/pc_sysfw_ovmf.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c
index f4dd92c588..df15c9737b 100644
--- a/hw/i386/pc_sysfw_ovmf.c
+++ b/hw/i386/pc_sysfw_ovmf.c
@@ -24,6 +24,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "hw/i386/pc.h"
#include "cpu.h"
@@ -66,7 +67,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, size_t
flash_size)
ptr -= sizeof(uint16_t);
tot_len = le16_to_cpu(*(uint16_t *)ptr) - sizeof(guid) - sizeof(uint16_t);
- if (tot_len <= 0) {
+ if (tot_len < 0 || tot_len > (ptr - flash_ptr)) {
+ error_report("OVMF table has invalid size %d", tot_len);
+ return;
+ }
+
+ if (tot_len == 0) {
+ /* no entries in the OVMF table */
return;
}
--
MST
- [PULL 12/45] hw/vhost-user-i2c: Add support for VIRTIO_I2C_F_ZERO_LENGTH_REQUEST, (continued)
- [PULL 12/45] hw/vhost-user-i2c: Add support for VIRTIO_I2C_F_ZERO_LENGTH_REQUEST, Michael S. Tsirkin, 2022/03/04
- [PULL 13/45] tests/qtest/libqos/pci: Introduce pio_limit, Michael S. Tsirkin, 2022/03/04
- [PULL 14/45] tests/qtest/libqos: Skip hotplug tests if pci root bus is not hotpluggable, Michael S. Tsirkin, 2022/03/04
- [PULL 15/45] tests/qtest/vhost-user-blk-test: Temporary hack to get tests passing on aarch64, Michael S. Tsirkin, 2022/03/04
- [PULL 16/45] tests/qtest/libqos: Add generic pci host bridge in arm-virt machine, Michael S. Tsirkin, 2022/03/04
- [PULL 17/45] hw/virtio: vdpa: Fix leak of host-notifier memory-region, Michael S. Tsirkin, 2022/03/04
- [PULL 18/45] vhost-vdpa: make notifiers _init()/_uninit() symmetric, Michael S. Tsirkin, 2022/03/04
- [PULL 19/45] intel_iommu: support snoop control, Michael S. Tsirkin, 2022/03/04
- [PULL 20/45] hw/i386: Improve bounds checking in OVMF table parsing,
Michael S. Tsirkin <=
- [PULL 21/45] hw/i386: Replace magic number with field length calculation, Michael S. Tsirkin, 2022/03/04
- [PULL 22/45] virtio-iommu: Default to bypass during boot, Michael S. Tsirkin, 2022/03/04
- [PULL 23/45] virtio-iommu: Support bypass domain, Michael S. Tsirkin, 2022/03/04
- [PULL 24/45] tests/qtest/virtio-iommu-test: Check bypass config, Michael S. Tsirkin, 2022/03/04
- [PULL 25/45] hw/i386/pc_piix: Mark the machine types from version 1.4 to 1.7 as deprecated, Michael S. Tsirkin, 2022/03/04
- [PULL 26/45] hw/pci-bridge/pxb: Fix missing swizzle, Michael S. Tsirkin, 2022/03/04
- [PULL 27/45] virtio-net: Unlimit tx queue size if peer is vdpa, Michael S. Tsirkin, 2022/03/04
- [PULL 28/45] pcie: Add support for Single Root I/O Virtualization (SR/IOV), Michael S. Tsirkin, 2022/03/04
- [PULL 29/45] pcie: Add some SR/IOV API documentation in docs/pcie_sriov.txt, Michael S. Tsirkin, 2022/03/04
- [PULL 30/45] pcie: Add a helper to the SR/IOV API, Michael S. Tsirkin, 2022/03/04