From nobody Sat May 18 20:15:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1554982167; cv=none; d=zoho.com; s=zohoarc; b=KYEeV5KWr8VPcqUinrpIagR7emqxictbEqgp7HvevZhTT/FGOy/1gFM+ZFNC5HKwck2hIs6O7QMN99pI7A9jN3EE1HErZ+NAjZ//Wkl00fh3HWvtlDgoJbPOGqWt+hsT7HK+rYBwkqkfyIdw1HmaM9pBPb3SmTuVN7itNnFhAbk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1554982167; h=Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=F77PnsxKiR1FC8fLMO6IpvXxgLTH/IpoIRZ7/otM4uk=; b=U2LCcOoHQMCOSUrre6zMTcYdn6OdWNH2dek0LzvPMzUc6PPuc9FaHnZKo03sgM4g+3fYLasBjcimsNK3bvbyEPU4cSlYlTpsE+7zaFA/v9sAo8BzQ1lAMT7v3S+8DumW75RvqIun3x73OoiKerweTzgILt9Dkl3ZlEuea0xQFIQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1554982167081821.5445795789142; Thu, 11 Apr 2019 04:29:27 -0700 (PDT) Received: from localhost ([127.0.0.1]:46773 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hEXtQ-00071K-QN for importer@patchew.org; Thu, 11 Apr 2019 07:29:20 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43754) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hEXsI-0006Rx-IA for qemu-devel@nongnu.org; Thu, 11 Apr 2019 07:28:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hEXsH-0005qp-I0 for qemu-devel@nongnu.org; Thu, 11 Apr 2019 07:28:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47254) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hEXsH-0005po-9X for qemu-devel@nongnu.org; Thu, 11 Apr 2019 07:28:09 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7AB073086258; Thu, 11 Apr 2019 11:28:08 +0000 (UTC) Received: from dell-r430-03.lab.eng.brq.redhat.com (dell-r430-03.lab.eng.brq.redhat.com [10.37.153.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0F2355D9C4; Thu, 11 Apr 2019 11:27:58 +0000 (UTC) From: Igor Mammedov To: qemu-devel@nongnu.org Date: Thu, 11 Apr 2019 13:28:18 +0200 Message-Id: <1554982098-336210-1-git-send-email-imammedo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Thu, 11 Apr 2019 11:28:08 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-4.1] roms: assert if max rom size is less than the used size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, mst@redhat.com, richard.henderson@linaro.org, stefanha@redhat.com, pbonzini@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" It would ensure that we would notice attempt to write beyond the allocated buffer. In case of MemoryRegion backed ROM it's the host buffer and the guest RAM otherwise. assert can be triggered with: dd if=3D/dev/zero of=3D/tmp/blob bs=3D63k count=3D1 qemu-system-x86_64 `for i in {1..33}; do echo -n " -acpitable /tmp/blob"= ; done` Fixes: (a1666142db acpi-build: make ROMs RAM blocks resizeable) Reported-by: Wei Yang Signed-off-by: Igor Mammedov Reviewed-by: Stefano Garzarella Tested-by: Stefano Garzarella --- hw/core/loader.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/core/loader.c b/hw/core/loader.c index fe5cb24..a097bbe 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -1025,6 +1025,7 @@ MemoryRegion *rom_add_blob(const char *name, const vo= id *blob, size_t len, rom->addr =3D addr; rom->romsize =3D max_len ? max_len : len; rom->datasize =3D len; + g_assert(rom->romsize >=3D rom->datasize); rom->data =3D g_malloc0(rom->datasize); memcpy(rom->data, blob, len); rom_insert(rom); --=20 2.7.4