OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

ivshmem: validate incoming_posn value from server

Browse Source 
Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
[AF: Tighten upper bound check for posn in close_guest_eventfds()]
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Stefan Hajnoczi 2014-09-15 18:40:06 +02:00 committed by Paolo Bonzini
parent a2e9011b41
commit 363ba1c72f
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/misc/ivshmem.c
View File

@ -389,6 +389,9 @@ static void close_guest_eventfds(IVShmemState *s, int posn)
if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
return;
}
if (posn < 0 || posn >= s->nb_peers) {
return;
}
guest_curr_max = s->peers[posn].nb_eventfds;
@ -455,6 +458,11 @@ static void ivshmem_read(void *opaque, const uint8_t *buf, int size)
}
}
if (incoming_posn < -1) {
IVSHMEM_DPRINTF("invalid incoming_posn %ld\n", incoming_posn);
return;
}
/* pick off s->server_chr->msgfd and store it, posn should accompany msg */
tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
IVSHMEM_DPRINTF("posn is %ld, fd is %d\n", incoming_posn, tmp_fd);