From nobody Sun Feb 8 20:57:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=linux.ibm.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1644841360902960.6271322272714; Mon, 14 Feb 2022 04:22:40 -0800 (PST) Received: from localhost ([::1]:53832 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nJaNL-00040f-Ty for importer@patchew.org; Mon, 14 Feb 2022 07:22:39 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41722) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nJaAX-0006Le-Oh for qemu-devel@nongnu.org; Mon, 14 Feb 2022 07:09:25 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:43906) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nJaAU-0007kQ-IE for qemu-devel@nongnu.org; Mon, 14 Feb 2022 07:09:25 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 21EAjQkH020148; Mon, 14 Feb 2022 12:09:10 GMT Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3e79fvqhv1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Feb 2022 12:09:10 +0000 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 21EC1aFe028594; Mon, 14 Feb 2022 12:09:10 GMT Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 3e79fvqhuc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Feb 2022 12:09:10 +0000 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 21EC5qHA021933; Mon, 14 Feb 2022 12:09:08 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma02wdc.us.ibm.com with ESMTP id 3e64h9xct3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Feb 2022 12:09:08 +0000 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 21EC96Gv32375074 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 14 Feb 2022 12:09:06 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 22CC228058; Mon, 14 Feb 2022 12:09:06 +0000 (GMT) Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E705928078; Mon, 14 Feb 2022 12:09:05 +0000 (GMT) Received: from amdrome3.watson.ibm.com (unknown [9.2.130.16]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 14 Feb 2022 12:09:05 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=1XxMivKU87ICKeLIy34+5950/Wxw7wxPwgxG02OXUxE=; b=NzqP0MV9U2hxw8Rn7E9x5iTHY+7lDMM1/Uzr1djRTMDnoHbkx3ZBi9i5j02Mj6HjboEh GslQnOBS6ucts+UTcaaRYwe6bpxDjz+Ibt3cDwjf6gdEu45jdUxU6ODQOhBIAQ4Jl5Dv y5ym+FHG6gOaN10yaKC1x/slpXfLGRhp6D7caqNaUEVMGzt+JpE0WYZUcbfAKTs8s1QP bVJq/nS5jsz66k23amAmCkwdlDWq12OU/YDWgXCVzM2CrTyBTmCCvFKWr0LtmB3FpJcl vE+d+amJftCFORAYsTiUvVTyQahfBbyT9TyvI9nt2WDjJv/LsSctYcTnkvJ3X91CaUy5 1g== From: Dov Murik To: qemu-devel@nongnu.org Subject: [PATCH] hw/i386: Improve bounds checking in OVMF table parsing Date: Mon, 14 Feb 2022 12:08:57 +0000 Message-Id: <20220214120857.1147288-1-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 1AxQrSMi2AxkfN3R5nsniFD3cuQGQjqG X-Proofpoint-ORIG-GUID: 0TFxgmiLtervQ-zqQLOMXMCwM7-WW1UE X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-02-14_04,2022-02-14_03,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 bulkscore=0 malwarescore=0 suspectscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 phishscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202140074 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=dovmurik@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -29 X-Spam_score: -3.0 X-Spam_bar: --- X-Spam_report: (-3.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Habkost , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , "Michael S. Tsirkin" , James Bottomley , Richard Henderson , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , "Dr. David Alan Gilbert" , Dov Murik , Tobin Feldman-Fitzthum , Gerd Hoffmann , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1644841362657100001 Content-Type: text/plain; charset="utf-8" When pc_system_parse_ovmf_flash() parses the optional GUIDed table in the end of the OVMF flash memory area, the table length field is checked for sizes that are too small, but doesn't error on sizes that are too big (bigger than the flash content itself). Add a check for maximal size of the OVMF table, and add an error report in case the size is invalid. Signed-off-by: Dov Murik --- hw/i386/pc_sysfw_ovmf.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c index f4dd92c588..0663f3f54a 100644 --- a/hw/i386/pc_sysfw_ovmf.c +++ b/hw/i386/pc_sysfw_ovmf.c @@ -24,6 +24,7 @@ */ =20 #include "qemu/osdep.h" +#include "qemu/error-report.h" #include "hw/i386/pc.h" #include "cpu.h" =20 @@ -66,7 +67,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, size= _t flash_size) ptr -=3D sizeof(uint16_t); tot_len =3D le16_to_cpu(*(uint16_t *)ptr) - sizeof(guid) - sizeof(uint= 16_t); =20 - if (tot_len <=3D 0) { + if (tot_len < 0 || tot_len > flash_size - 50) { + error_report("OVMF table has invalid size %d", tot_len); + return; + } + + if (tot_len =3D=3D 0) { + /* no entries in the OVMF table */ return; } =20 base-commit: 48033ad678ae2def43bf0d543a2c4c3d2a93feaf --=20 2.25.1