qemu/hw-core-loader-Fix-possible-crash-in-rom.patch

From: Thomas Huth <thuth@redhat.com>
Date: Wed, 25 Sep 2019 14:16:43 +0200
Subject: hw/core/loader: Fix possible crash in rom_copy()

Git-commit: e423455c4f23a1a828901c78fe6d03b7dde79319

Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:

    d = dest + (rom->addr - addr);

and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.

Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/core/loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index 425bf69a9968765b4604a442eb0a..838a34174ac2039d55f557fa427a 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -1242,7 +1242,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
         if (rom->addr + rom->romsize < addr) {
             continue;
         }
-        if (rom->addr > end) {
+        if (rom->addr > end || rom->addr < addr) {
             break;
         }
Accepting request 734440 from home:bfrogers:branches:Virtualization Add in upstream stable patches. Also a new more minor tweaks. OBS-URL: https://build.opensuse.org/request/show/734440 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=492 2019-10-02 04:17:15 +02:00			`From: Thomas Huth <thuth@redhat.com>`
			`Date: Wed, 25 Sep 2019 14:16:43 +0200`
			`Subject: hw/core/loader: Fix possible crash in rom_copy()`

			`Git-commit: e423455c4f23a1a828901c78fe6d03b7dde79319`

			`Both, "rom->addr" and "addr" are derived from the binary image`
			`that can be loaded with the "-kernel" paramer. The code in`
			`rom_copy() then calculates:`

			`d = dest + (rom->addr - addr);`

			`and uses "d" as destination in a memcpy() some lines later. Now with`
			`bad kernel images, it is possible that rom->addr is smaller than addr,`
			`thus "rom->addr - addr" gets negative and the memcpy() then tries to`
			`copy contents from the image to a bad memory location. This could`
			`maybe be used to inject code from a kernel image into the QEMU binary,`
			`so we better fix it with an additional sanity check here.`

			`Cc: qemu-stable@nongnu.org`
			`Reported-by: Guangming Liu`
			`Buglink: https://bugs.launchpad.net/qemu/+bug/1844635`
			`Message-Id: <20190925130331.27825-1-thuth@redhat.com>`
			`Reviewed-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Thomas Huth <thuth@redhat.com>`
			`Signed-off-by: Bruce Rogers <brogers@suse.com>`
			`---`
			`hw/core/loader.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/hw/core/loader.c b/hw/core/loader.c`
			`index 425bf69a9968765b4604a442eb0a..838a34174ac2039d55f557fa427a 100644`
			`--- a/hw/core/loader.c`
			`+++ b/hw/core/loader.c`
			`@@ -1242,7 +1242,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)`
			`if (rom->addr + rom->romsize < addr) {`
			`continue;`
			`}`
			`- if (rom->addr > end) {`
			`+ if (rom->addr > end \|\| rom->addr < addr) {`
			`break;`
			`}`