[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL v2 16/47] hw/i386: Improve bounds checking in OVMF table parsing
From: |
Michael S. Tsirkin |
Subject: |
[PULL v2 16/47] hw/i386: Improve bounds checking in OVMF table parsing |
Date: |
Mon, 7 Mar 2022 05:02:08 -0500 |
From: Dov Murik <dovmurik@linux.ibm.com>
When pc_system_parse_ovmf_flash() parses the optional GUIDed table in
the end of the OVMF flash memory area, the table length field is checked
for sizes that are too small, but doesn't error on sizes that are too
big (bigger than the flash content itself).
Add a check for maximal size of the OVMF table, and add an error report
in case the size is invalid. In such a case, an error like this will be
displayed during launch:
qemu-system-x86_64: OVMF table has invalid size 4047
and the table parsing is skipped.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Message-Id: <20220222071906.2632426-2-dovmurik@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
hw/i386/pc_sysfw_ovmf.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c
index f4dd92c588..df15c9737b 100644
--- a/hw/i386/pc_sysfw_ovmf.c
+++ b/hw/i386/pc_sysfw_ovmf.c
@@ -24,6 +24,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "hw/i386/pc.h"
#include "cpu.h"
@@ -66,7 +67,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, size_t
flash_size)
ptr -= sizeof(uint16_t);
tot_len = le16_to_cpu(*(uint16_t *)ptr) - sizeof(guid) - sizeof(uint16_t);
- if (tot_len <= 0) {
+ if (tot_len < 0 || tot_len > (ptr - flash_ptr)) {
+ error_report("OVMF table has invalid size %d", tot_len);
+ return;
+ }
+
+ if (tot_len == 0) {
+ /* no entries in the OVMF table */
return;
}
--
MST
- [PULL v2 07/47] hw/smbios: fix overlapping table handle numbers with large memory vms, (continued)
- [PULL v2 07/47] hw/smbios: fix overlapping table handle numbers with large memory vms, Michael S. Tsirkin, 2022/03/07
- [PULL v2 08/47] hw/smbios: add assertion to ensure handles of tables 19 and 32 do not collide, Michael S. Tsirkin, 2022/03/07
- [PULL v2 09/47] vhost-user: remove VirtQ notifier restore, Michael S. Tsirkin, 2022/03/07
- [PULL v2 10/47] vhost-user: fix VirtQ notifier cleanup, Michael S. Tsirkin, 2022/03/07
- [PULL v2 11/47] virtio: fix the condition for iommu_platform not supported, Michael S. Tsirkin, 2022/03/07
- [PULL v2 13/47] hw/virtio: vdpa: Fix leak of host-notifier memory-region, Michael S. Tsirkin, 2022/03/07
- [PULL v2 15/47] intel_iommu: support snoop control, Michael S. Tsirkin, 2022/03/07
- [PULL v2 12/47] hw/vhost-user-i2c: Add support for VIRTIO_I2C_F_ZERO_LENGTH_REQUEST, Michael S. Tsirkin, 2022/03/07
- [PULL v2 14/47] vhost-vdpa: make notifiers _init()/_uninit() symmetric, Michael S. Tsirkin, 2022/03/07
- [PULL v2 17/47] hw/i386: Replace magic number with field length calculation, Michael S. Tsirkin, 2022/03/07
- [PULL v2 16/47] hw/i386: Improve bounds checking in OVMF table parsing,
Michael S. Tsirkin <=
- [PULL v2 18/47] virtio-iommu: Default to bypass during boot, Michael S. Tsirkin, 2022/03/07
- [PULL v2 19/47] virtio-iommu: Support bypass domain, Michael S. Tsirkin, 2022/03/07
- [PULL v2 21/47] hw/i386/pc_piix: Mark the machine types from version 1.4 to 1.7 as deprecated, Michael S. Tsirkin, 2022/03/07
- [PULL v2 22/47] hw/pci-bridge/pxb: Fix missing swizzle, Michael S. Tsirkin, 2022/03/07
- [PULL v2 23/47] virtio-net: Unlimit tx queue size if peer is vdpa, Michael S. Tsirkin, 2022/03/07
- [PULL v2 24/47] pcie: Add support for Single Root I/O Virtualization (SR/IOV), Michael S. Tsirkin, 2022/03/07
- [PULL v2 25/47] pcie: Add some SR/IOV API documentation in docs/pcie_sriov.txt, Michael S. Tsirkin, 2022/03/07
- [PULL v2 26/47] pcie: Add a helper to the SR/IOV API, Michael S. Tsirkin, 2022/03/07
- [PULL v2 27/47] pcie: Add 1.2 version token for the Power Management Capability, Michael S. Tsirkin, 2022/03/07
- [PULL v2 28/47] pci-bridge/xio3130_upstream: Fix error handling, Michael S. Tsirkin, 2022/03/07