From nobody Tue Feb 10 07:40:50 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1523035610054918.6365517060199; Fri, 6 Apr 2018 10:26:50 -0700 (PDT) Received: from localhost ([::1]:40973 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f4V8T-0004hf-7t for importer@patchew.org; Fri, 06 Apr 2018 13:26:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36418) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f4Utu-0007zI-1e for qemu-devel@nongnu.org; Fri, 06 Apr 2018 13:11:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f4Uts-0007qI-Pt for qemu-devel@nongnu.org; Fri, 06 Apr 2018 13:11:46 -0400 Received: from mail-wm0-x241.google.com ([2a00:1450:400c:c09::241]:51744) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1f4Uts-0007oQ-IJ for qemu-devel@nongnu.org; Fri, 06 Apr 2018 13:11:44 -0400 Received: by mail-wm0-x241.google.com with SMTP id u189so4843790wmd.1 for ; Fri, 06 Apr 2018 10:11:44 -0700 (PDT) Received: from 640k.lan (94-36-194-48.adsl-ull.clienti.tiscali.it. [94.36.194.48]) by smtp.gmail.com with ESMTPSA id 24sm16286180wrt.60.2018.04.06.10.11.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Apr 2018 10:11:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=NqvyzdK184r8HlaItgvyWhs4f5nx86qq/nsdaWSpsxo=; b=olYfGEABC1hxEw77tuvp1K+6UIQUPx3fslpyvTRtJs961Ocm0LJUinPdNI/wEVcYKW LXOf6ORzbauU0TrirHQz0AJ7X2/4vZ9c508Aj+Ur34K3jR3acrjQcokhMmwzGcRzkARa tckKBHrMXDNmZAy0FsaQOShOsIJSLpoewTAujGSF79QLWVfNKZnCj2SPptkRbRGSLSBN IB0WfICdrf8QAHYhvoQHomPAMGFQYefj811iC80otR/DQdi41sbD7mo52B6+Qfvd9UfW IggOfZcabEpo1strr4iqhmsdVmZLqfkALbO8OXzoaMXB7bQHVPuH21pdH7Zr0xvkMd7D TvlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=NqvyzdK184r8HlaItgvyWhs4f5nx86qq/nsdaWSpsxo=; b=pb609BOXJptoYWhzb2i+YBxuhSOq0kMWQ3ylpILnk3CFtvwUGjPJPixVEmBnfmomwj s5EU8Zf//65ELFtr6ocHWSEjQRS68GLE/TTGssl43cZ4DHpvDMCHdh8VHVBHawEnG5Qc djqpgEpst5jprTlkdtYK/hpn+HyVtEt/fGVVcNer+5gK6aUVbwrSrUof57ACzOZwZNu8 T6r74Jn+5/iKPxkB87PKDX5TmkiBGSEESiP7SOdbJ31aldPeuy3XbGNEv67uXVNVORJa lZNJosi6zcVjB0e1mTBbQd0m67bWQRRpd54qexLzMhZEXR6DYSVnfferyepceiEBmmHL Vv0g== X-Gm-Message-State: ALQs6tBvxsEm/O+/lu75ZLwcf2yx9qX6r25UgfgodtheIMpDwQ04bLJE SfZxzkI1SAyVboUgy0jbgWBV5Opr X-Google-Smtp-Source: AIpwx4+Ajc7l9Vu+N6iAR5AN4nTnT5qx7OHks1faaOUDCPgjgGUSXuGHyJ9r9zlv8HKeZN798W3l2Q== X-Received: by 10.28.178.136 with SMTP id b130mr15647283wmf.68.1523034703201; Fri, 06 Apr 2018 10:11:43 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Fri, 6 Apr 2018 19:11:15 +0200 Message-Id: <1523034681-33787-15-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1523034681-33787-1-git-send-email-pbonzini@redhat.com> References: <1523034681-33787-1-git-send-email-pbonzini@redhat.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c09::241 Subject: [Qemu-devel] [PULL 14/20] virtio-serial: fix heapover-flow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linzhecheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: linzhecheng Check device having the feature of VIRTIO_CONSOLE_F_EMERG_WRITE before get config->emerg_wr. It is neccessary because sizeof(virtio_console_config) is 8 byte if VirtIOSerial doesn't have the feature of VIRTIO_CONSOLE_F_EMERG_WRITE(see virtio_serial_device_realize), read/write emerg_wr will lead to heap-over-flow. Signed-off-by: linzhecheng Message-Id: <20180328133435.20112-1-linzhecheng@huawei.com> Signed-off-by: Paolo Bonzini --- hw/char/virtio-serial-bus.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c index 9470bd7..d2dd8ab 100644 --- a/hw/char/virtio-serial-bus.c +++ b/hw/char/virtio-serial-bus.c @@ -580,13 +580,16 @@ static void set_config(VirtIODevice *vdev, const uint= 8_t *config_data) VirtIOSerial *vser =3D VIRTIO_SERIAL(vdev); struct virtio_console_config *config =3D (struct virtio_console_config *)config_data; - uint8_t emerg_wr_lo =3D le32_to_cpu(config->emerg_wr); VirtIOSerialPort *port =3D find_first_connected_console(vser); VirtIOSerialPortClass *vsc; + uint8_t emerg_wr_lo; =20 - if (!config->emerg_wr) { + if (!virtio_has_feature(vser->host_features, + VIRTIO_CONSOLE_F_EMERG_WRITE) || !config->emerg_wr) { return; } + + emerg_wr_lo =3D le32_to_cpu(config->emerg_wr); /* Make sure we don't misdetect an emergency write when the guest * does a short config write after an emergency write. */ config->emerg_wr =3D 0; --=20 1.8.3.1