Re: [Qemu-stable] [Qemu-devel] [PATCH] cadence

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-stable] [Qemu-devel] [PATCH] cadence_uart: bounds check write

From:	Peter Maydell
Subject:	Re: [Qemu-stable] [Qemu-devel] [PATCH] cadence_uart: bounds check write offset
Date:	Tue, 19 Apr 2016 11:15:07 +0100

On 18 April 2016 at 21:50, Alistair Francis <address@hidden> wrote:
> On Mon, Apr 18, 2016 at 3:10 AM, Peter Maydell <address@hidden> wrote:
>> CCing the maintainers for this device...
>>
>> On 18 April 2016 at 11:07, Michael S. Tsirkin <address@hidden> wrote:
>>> cadence_uart_init() initializes an I/O memory region of size 0x1000
>>> bytes.  However in uart_write(), the 'offset' parameter (offset within
>>> region) is divided by 4 and then used to index the array 'r' of size
>>> CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
>>> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
>>> write where the offset and the value are controlled by guest.
>>>
>>> This will corrupt QEMU memory, in most situations this causes the vm to
>>> crash.
>>>
>>> Fix by checking the offset against the array size.
>>>
>>> Reported-by: 李强 <address@hidden>
>>> Signed-off-by: Michael S. Tsirkin <address@hidden>
>
> Good catch.
>
> Reviewed-by: Alistair Francis <address@hidden>

Applied to master, thanks (so this will be in rc3). I added
a Cc: address@hidden tag too.

-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-stable] [Qemu-devel] [PATCH] cadence_uart: bounds check write offset, Peter Maydell <=

Prev by Date: [Qemu-stable] [PULL 1/2] ui/virtio-gpu: add and use qemu_create_displaysurface_pixman
Next by Date: [Qemu-stable] [PULL 1/1] qemu-ga: do not run qga test when guest agent disabled
Previous by thread: [Qemu-stable] [PULL 1/2] ui/virtio-gpu: add and use qemu_create_displaysurface_pixman
Next by thread: [Qemu-stable] [PULL for-2.6 0/1] qemu-ga patch queue for 2.6
Index(es):
- Date
- Thread