[Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing

Aleksey Kuleshov posted 1 patch 6 years, 2 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/4692971516029191@web59g.yandex.ru
Test checkpatch passed
Test docker passed
Test ppc passed
Test s390x passed
hw/block/m25p80.c | 10 ++++++++++
1 file changed, 10 insertions(+)
[Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing
Posted by Aleksey Kuleshov 6 years, 2 months ago
memset is not checked, so it's possible to go beyond the storage.
Add checks and truncate requested length.

Signed-off-by: Aleksey Kuleshov <rndfax@yandex.ru>
---
 hw/block/m25p80.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index ea142160b3..18ec501912 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
     uint32_t len;
     uint8_t capa_to_assert = 0;
 
+    assert(0 <= offset && offset < s->size);
+
     switch (cmd) {
     case ERASE_4K:
     case ERASE4_4K:
@@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
         qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n");
         return;
     }
+
+    if (offset + len > s->size) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                            "M25P80: trying to erase beyond the flash size! "
+                            "Truncating the length...\n");
+        len = s->size - offset;
+    }
+
     memset(s->storage + offset, 0xff, len);
     flash_sync_area(s, offset, len);
 }
-- 
2.11.0

Re: [Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing
Posted by mar.krzeminski 6 years, 2 months ago
W dniu 15.01.2018 o 16:13, Aleksey Kuleshov pisze:
> memset is not checked, so it's possible to go beyond the storage.
> Add checks and truncate requested length.
>
> Signed-off-by: Aleksey Kuleshov <rndfax@yandex.ru>

Acked-by: Marcin Krzemiński<mar.krzeminski@gmail.com>

> ---
>   hw/block/m25p80.c | 10 ++++++++++
>   1 file changed, 10 insertions(+)
>
> diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
> index ea142160b3..18ec501912 100644
> --- a/hw/block/m25p80.c
> +++ b/hw/block/m25p80.c
> @@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
>       uint32_t len;
>       uint8_t capa_to_assert = 0;
>   
> +    assert(0 <= offset && offset < s->size);
> +
>       switch (cmd) {
>       case ERASE_4K:
>       case ERASE4_4K:
> @@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
>           qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n");
>           return;
>       }
> +
> +    if (offset + len > s->size) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                            "M25P80: trying to erase beyond the flash size! "
> +                            "Truncating the length...\n");
> +        len = s->size - offset;
> +    }
> +
>       memset(s->storage + offset, 0xff, len);
>       flash_sync_area(s, offset, len);
>   }