diff options
| author | Thomas Huth <thuth@redhat.com> | 2019-09-25 14:16:43 +0200 |
|---|---|---|
| committer | Thomas Huth <thuth@redhat.com> | 2019-10-01 11:42:27 +0200 |
| commit | e423455c4f23a1a828901c78fe6d03b7dde79319 (patch) | |
| tree | 7bb7f8e2f80f94ec823570f507ee030c46b460bb /hw/core/loader.c | |
| parent | cd4fc142074f47fdcc850676a13d29bb3facc100 (diff) | |
| download | qemu-e423455c4f23a1a828901c78fe6d03b7dde79319.zip qemu-e423455c4f23a1a828901c78fe6d03b7dde79319.tar.gz qemu-e423455c4f23a1a828901c78fe6d03b7dde79319.tar.bz2 | |
hw/core/loader: Fix possible crash in rom_copy()
Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:
d = dest + (rom->addr - addr);
and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.
Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Diffstat (limited to 'hw/core/loader.c')
| -rw-r--r-- | hw/core/loader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/core/loader.c b/hw/core/loader.c index 0d60219..5099f27 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size) if (rom->addr + rom->romsize < addr) { continue; } - if (rom->addr > end) { + if (rom->addr > end || rom->addr < addr) { break; } |