From 590fe5722b522e492a9c78adadae4def35b137dd Mon Sep 17 00:00:00 2001 From: Cornelia Huck Date: Fri, 20 Mar 2015 13:08:36 +0100 Subject: virtio-ccw: fix range check for SET_VQ VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be able to trigger a write beyond the VirtQueue structure. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand Acked-by: Christian Borntraeger Signed-off-by: Cornelia Huck --- hw/s390x/virtio-ccw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c index 130535c..ceb6a45 100644 --- a/hw/s390x/virtio-ccw.c +++ b/hw/s390x/virtio-ccw.c @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, { VirtIODevice *vdev = virtio_ccw_get_vdev(sch); - if (index > VIRTIO_PCI_QUEUE_MAX) { + if (index >= VIRTIO_PCI_QUEUE_MAX) { return -EINVAL; } -- cgit v1.1 From d03a363054f1cc58d4e6653ff09fbbe8121a0302 Mon Sep 17 00:00:00 2001 From: Cornelia Huck Date: Fri, 20 Mar 2015 13:16:20 +0100 Subject: virtio-ccw: range check in READ_VQ_CONF Processing for READ_VQ_CONF needs to check whether the requested queue value is actually in the supported range and post a channel program check if not. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand Acked-by: Christian Borntraeger Signed-off-by: Cornelia Huck --- hw/s390x/virtio-ccw.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c index ceb6a45..d32ecaf 100644 --- a/hw/s390x/virtio-ccw.c +++ b/hw/s390x/virtio-ccw.c @@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) ret = -EFAULT; } else { vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda); + if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) { + ret = -EINVAL; + break; + } vq_config.num_max = virtio_queue_get_num(vdev, vq_config.index); stw_be_phys(&address_space_memory, -- cgit v1.1 From f65025caab916aa8a5b8de270a59078e0b6e2866 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 25 Mar 2015 15:56:29 +0100 Subject: s390x: do not include ram_addr.h ram_addr.h is an internal interface and it is not needed anyway by hw/s390x/ipl.c. Cc: Christian Borntraeger Reviewed-by: Thomas Huth Signed-off-by: Paolo Bonzini Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Christian Borntraeger Signed-off-by: Cornelia Huck --- hw/s390x/ipl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 54d0835..5c86613 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -14,7 +14,6 @@ #include "sysemu/sysemu.h" #include "cpu.h" #include "elf.h" -#include "exec/ram_addr.h" #include "hw/loader.h" #include "hw/sysbus.h" #include "hw/s390x/virtio-ccw.h" -- cgit v1.1 From fa92e218df1d7fcc01e1e5d8bbd77acdaf53c18b Mon Sep 17 00:00:00 2001 From: Cornelia Huck Date: Thu, 26 Mar 2015 10:41:45 +0100 Subject: s390x/ipl: avoid sign extension Make s390_update_iplstate() return uint32_t to avoid sign extensions for cssids > 127. While this doesn't matter in practice yet (as nobody supports MCSS-E and thus won't see the real cssid), play safe. Reported-by: Paolo Bonzini Reviewed-by: Jason J. Herne Signed-off-by: Cornelia Huck --- hw/s390x/ipl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 5c86613..2e26d2a 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -218,7 +218,7 @@ static Property s390_ipl_properties[] = { * - -1 if no valid boot device was found * - ccw id of the boot device otherwise */ -static uint64_t s390_update_iplstate(CPUS390XState *env, S390IPLState *ipl) +static uint32_t s390_update_iplstate(CPUS390XState *env, S390IPLState *ipl) { DeviceState *dev_st; -- cgit v1.1