6f08fa6f4d
Add in upstream stable patches. Also a new more minor tweaks. OBS-URL: https://build.opensuse.org/request/show/734440 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=492
44 lines
1.6 KiB
Diff
44 lines
1.6 KiB
Diff
From: Thomas Huth <thuth@redhat.com>
|
|
Date: Wed, 25 Sep 2019 14:16:43 +0200
|
|
Subject: hw/core/loader: Fix possible crash in rom_copy()
|
|
|
|
Git-commit: e423455c4f23a1a828901c78fe6d03b7dde79319
|
|
|
|
Both, "rom->addr" and "addr" are derived from the binary image
|
|
that can be loaded with the "-kernel" paramer. The code in
|
|
rom_copy() then calculates:
|
|
|
|
d = dest + (rom->addr - addr);
|
|
|
|
and uses "d" as destination in a memcpy() some lines later. Now with
|
|
bad kernel images, it is possible that rom->addr is smaller than addr,
|
|
thus "rom->addr - addr" gets negative and the memcpy() then tries to
|
|
copy contents from the image to a bad memory location. This could
|
|
maybe be used to inject code from a kernel image into the QEMU binary,
|
|
so we better fix it with an additional sanity check here.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Reported-by: Guangming Liu
|
|
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
|
|
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
hw/core/loader.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/core/loader.c b/hw/core/loader.c
|
|
index 425bf69a9968765b4604a442eb0a..838a34174ac2039d55f557fa427a 100644
|
|
--- a/hw/core/loader.c
|
|
+++ b/hw/core/loader.c
|
|
@@ -1242,7 +1242,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
|
|
if (rom->addr + rom->romsize < addr) {
|
|
continue;
|
|
}
|
|
- if (rom->addr > end) {
|
|
+ if (rom->addr > end || rom->addr < addr) {
|
|
break;
|
|
}
|
|
|