OpenE2K
/
qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

kvmvapic: Prevent reading beyond the end of guest RAM 

rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
writen 16-bit value) and can be influenced to point beyond the end of
the host memory backing the guest's RAM. Make sure we do not use this
pointer to actually read beyond the limits.

Reading arbitrary guest bytes is harmless, the guest kernel has to
manage access to this I/O port anyway.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
This commit is contained in:
Jan Kiszka 2013-09-30 12:35:13 +02:00 committed by Gleb Natapov
parent 2560f19f42
commit 7174e54cf1
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hw/i386/kvmvapic.c
View File

@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
section = memory_region_find(as, 0, 1);
/* read ROM size from RAM region */
if (rom_paddr + 2 >= memory_region_size(section.mr)) {
return -1;
}
ram = memory_region_get_ram_ptr(section.mr);
rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
if (rom_size == 0) {