Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Multiboot patches

# gpg: Signature made Wed 21 Mar 2018 14:38:36 GMT
# gpg:                using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
  tests/multiboot: Add .gitignore
  tests/multiboot: Add tests for the a.out kludge
  tests/multiboot: Test exit code for every qemu run
  multiboot: Check validity of mh_header_addr
  multiboot: Reject kernels exceeding the address space

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index b906426..5bc0a2c 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -229,6 +229,10 @@ int load_multiboot(FWCfgState *fw_cfg,
             error_report("invalid load_addr address");
             exit(1);
         }
+        if (mh_header_addr - mh_load_addr > i) {
+            error_report("invalid header_addr address");
+            exit(1);
+        }
 
         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
         uint32_t mb_load_size = 0;
@@ -247,6 +251,10 @@ int load_multiboot(FWCfgState *fw_cfg,
             }
             mb_load_size = kernel_file_size - mb_kernel_text_offset;
         }
+        if (mb_load_size > UINT32_MAX - mh_load_addr) {
+            error_report("kernel does not fit in address space");
+            exit(1);
+        }
         if (mh_bss_end_addr) {
             if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
                 error_report("invalid bss_end_addr address");