[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 25/35] hw/i386: Improve bounds checking in OVMF table parsing
From: |
Gerd Hoffmann |
Subject: |
[PULL 25/35] hw/i386: Improve bounds checking in OVMF table parsing |
Date: |
Fri, 4 Mar 2022 15:21:13 +0100 |
From: Dov Murik <dovmurik@linux.ibm.com>
When pc_system_parse_ovmf_flash() parses the optional GUIDed table in
the end of the OVMF flash memory area, the table length field is checked
for sizes that are too small, but doesn't error on sizes that are too
big (bigger than the flash content itself).
Add a check for maximal size of the OVMF table, and add an error report
in case the size is invalid. In such a case, an error like this will be
displayed during launch:
qemu-system-x86_64: OVMF table has invalid size 4047
and the table parsing is skipped.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220222071906.2632426-2-dovmurik@linux.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/i386/pc_sysfw_ovmf.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c
index f4dd92c58825..df15c9737b93 100644
--- a/hw/i386/pc_sysfw_ovmf.c
+++ b/hw/i386/pc_sysfw_ovmf.c
@@ -24,6 +24,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "hw/i386/pc.h"
#include "cpu.h"
@@ -66,7 +67,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, size_t
flash_size)
ptr -= sizeof(uint16_t);
tot_len = le16_to_cpu(*(uint16_t *)ptr) - sizeof(guid) - sizeof(uint16_t);
- if (tot_len <= 0) {
+ if (tot_len < 0 || tot_len > (ptr - flash_ptr)) {
+ error_report("OVMF table has invalid size %d", tot_len);
+ return;
+ }
+
+ if (tot_len == 0) {
+ /* no entries in the OVMF table */
return;
}
--
2.35.1
- [PULL 12/35] paaudio: increase default latency to 46ms, (continued)
- [PULL 12/35] paaudio: increase default latency to 46ms, Gerd Hoffmann, 2022/03/04
- [PULL 11/35] audio: inline function audio_pcm_sw_get_rpos_in(), Gerd Hoffmann, 2022/03/04
- [PULL 13/35] jackaudio: use more jack audio buffers, Gerd Hoffmann, 2022/03/04
- [PULL 14/35] audio: copy playback stream in sequential order, Gerd Hoffmann, 2022/03/04
- [PULL 15/35] audio: add pcm_ops function table for capture backend, Gerd Hoffmann, 2022/03/04
- [PULL 16/35] Revert "audio: fix wavcapture segfault", Gerd Hoffmann, 2022/03/04
- [PULL 17/35] audio: restore mixing-engine playback buffer size, Gerd Hoffmann, 2022/03/04
- [PULL 19/35] dsoundaudio: reduce effective playback buffer size, Gerd Hoffmann, 2022/03/04
- [PULL 18/35] paaudio: reduce effective playback buffer size, Gerd Hoffmann, 2022/03/04
- [PULL 21/35] paaudio: fix samples vs. frames mix-up, Gerd Hoffmann, 2022/03/04
- [PULL 25/35] hw/i386: Improve bounds checking in OVMF table parsing,
Gerd Hoffmann <=
- [PULL 20/35] ossaudio: reduce effective playback buffer size, Gerd Hoffmann, 2022/03/04
- [PULL 22/35] sdlaudio: fix samples vs. frames mix-up, Gerd Hoffmann, 2022/03/04
- [PULL 23/35] hw/usb/redirect.c: Stop using qemu_oom_check(), Gerd Hoffmann, 2022/03/04
- [PULL 24/35] coreaudio: Notify error in coreaudio_init_out, Gerd Hoffmann, 2022/03/04
- [PULL 29/35] ui/console: fix texture leak when calling surface_gl_create_texture(), Gerd Hoffmann, 2022/03/04
- [PULL 27/35] docs: Add spec of OVMF GUIDed table for SEV guests, Gerd Hoffmann, 2022/03/04
- [PULL 28/35] ui/console: fix crash when using gl context with non-gl listeners, Gerd Hoffmann, 2022/03/04
- [PULL 30/35] ui: do not create a surface when resizing a GL scanout, Gerd Hoffmann, 2022/03/04
- [PULL 31/35] ui/clipboard: fix use-after-free regression, Gerd Hoffmann, 2022/03/04
- [PULL 32/35] ui/cocoa: Add Services menu, Gerd Hoffmann, 2022/03/04