1. Patchew
  2. QEMU
  3. [PULL 0/5] qtest and misc patches
  4. View patch

[PULL 4/5] hw/core/loader: Fix possible crash in rom_copy()

Thomas Huth posted 5 patches 6 years, 1 month ago
Maintainers: Thomas Huth <thuth@redhat.com>, John Snow <jsnow@redhat.com>, Laurent Vivier <lvivier@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>, Thomas Huth <huth@tuxfamily.org>, Paolo Bonzini <pbonzini@redhat.com>
There is a newer version of this series
[PULL 4/5] hw/core/loader: Fix possible crash in rom_copy()
Posted by Thomas Huth 6 years, 1 month ago 
Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:

    d = dest + (rom->addr - addr);

and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.

Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/core/loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index 0d60219364..5099f27dc8 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
         if (rom->addr + rom->romsize < addr) {
             continue;
         }
-        if (rom->addr > end) {
+        if (rom->addr > end || rom->addr < addr) {
             break;
         }
 
-- 
2.18.1

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.