qemu-e2k/hw
Peter Maydell 312c496a95 hw/core/loader: In gunzip(), check index is in range before use, not after
The gunzip() function reads various fields from a passed in source
buffer in order to skip a header before passing the actual compressed
data to the zlib inflate() function.  It does check whether the
passed in buffer is too small, but unfortunately it checks that only
after reading bytes from the src buffer, so it could read off the end
of the buffer.

You can see this with valgrind:

 $ printf "%b" '\x1f\x8b' > /tmp/image
 $ valgrind qemu-system-aarch64 -display none -M virt -cpu max -kernel /tmp/image
 [...]
 ==19224== Invalid read of size 1
 ==19224==    at 0x67302E: gunzip (loader.c:558)
 ==19224==    by 0x673907: load_image_gzipped_buffer (loader.c:788)
 ==19224==    by 0xA18032: load_aarch64_image (boot.c:932)
 ==19224==    by 0xA18489: arm_setup_direct_kernel_boot (boot.c:1063)
 ==19224==    by 0xA18D90: arm_load_kernel (boot.c:1317)
 ==19224==    by 0x9F3651: machvirt_init (virt.c:2114)
 ==19224==    by 0x794B7A: machine_run_board_init (machine.c:1272)
 ==19224==    by 0xD5CAD3: qemu_init_board (vl.c:2618)
 ==19224==    by 0xD5CCA6: qmp_x_exit_preconfig (vl.c:2692)
 ==19224==    by 0xD5F32E: qemu_init (vl.c:3713)
 ==19224==    by 0x5ADDB1: main (main.c:49)
 ==19224==  Address 0x3802a873 is 0 bytes after a block of size 3 alloc'd
 ==19224==    at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 ==19224==    by 0x61E7657: g_file_get_contents (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.5600.4)
 ==19224==    by 0x673895: load_image_gzipped_buffer (loader.c:771)
 ==19224==    by 0xA18032: load_aarch64_image (boot.c:932)
 ==19224==    by 0xA18489: arm_setup_direct_kernel_boot (boot.c:1063)
 ==19224==    by 0xA18D90: arm_load_kernel (boot.c:1317)
 ==19224==    by 0x9F3651: machvirt_init (virt.c:2114)
 ==19224==    by 0x794B7A: machine_run_board_init (machine.c:1272)
 ==19224==    by 0xD5CAD3: qemu_init_board (vl.c:2618)
 ==19224==    by 0xD5CCA6: qmp_x_exit_preconfig (vl.c:2692)
 ==19224==    by 0xD5F32E: qemu_init (vl.c:3713)
 ==19224==    by 0x5ADDB1: main (main.c:49)

Check that we have enough bytes of data to read the header bytes that
we read before we read them.

Fixes: Coverity 1458997
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210812141803.20913-1-peter.maydell@linaro.org
2021-08-26 17:02:00 +01:00
..
9pfs 9pfs: reduce latency of Twalk 2021-07-05 13:03:16 +02:00
acpi hw/acpi/Kconfig: Add missing Kconfig dependencies (build error) 2021-07-20 15:29:27 +02:00
adc adc: Move the max111x driver to the adc directory 2021-06-17 07:10:32 -05:00
alpha hw/alpha: Provide a PCI-ISA bridge device node 2021-06-28 07:27:32 -07:00
arm hw/arm/Kconfig: no need to enable ACPI_MEMORY_HOTPLUG/ACPI_NVDIMM explicitly 2021-08-26 17:01:59 +01:00
audio hw/audio/adlib: Remove unused variable in adlib_callback 2021-07-26 07:07:07 -10:00
avr
block pc,pci,virtio: bugfixes, improvements 2021-07-09 14:30:01 +01:00
char hw/char/pl011: add support for sending break 2021-08-25 10:48:50 +01:00
core hw/core/loader: In gunzip(), check index is in range before use, not after 2021-08-26 17:02:00 +01:00
cpu
cris
display hw/display: fix virgl reset regression 2021-07-22 15:46:54 +02:00
dma hw/dma/xlnx-zdma Always expect 'dma' link property to be set 2021-08-26 17:01:59 +01:00
gpio hw: aspeed_gpio: Fix memory size 2021-07-27 11:00:00 +01:00
hppa
hyperv vmbus: Don't make QOM property registration conditional 2021-07-06 18:04:38 -04:00
i2c i2c/smbus_eeprom: Add feature bit to SPD data 2021-07-29 10:59:49 +10:00
i386 arch_init.h: Don't include arch_init.h unnecessarily 2021-08-26 17:02:00 +01:00
ide hw/ide/Kconfig: Add missing dependency PCI -> IDE_QDEV 2021-07-20 15:30:42 +02:00
input Some qemu updates for IPMI and I2C 2021-07-11 14:32:49 +01:00
intc hw/intc/armv7m_nvic: for v8.1M VECTPENDING hides S exceptions from NS 2021-07-27 10:57:39 +01:00
ipack
ipmi ipmi/sim: fix watchdog_expired data type error in IPMIBmcSim struct 2021-07-08 14:15:01 -05:00
isa hw/isa/vt82c686: Add missing Kconfig dependency (runtime error) 2021-07-20 20:10:20 +02:00
m68k bitops.h: revert db1ffc32dd ("qemu/bitops.h: add bitrev8 implementation") 2021-07-26 06:56:41 -10:00
mem
microblaze
mips arch_init.h: Don't include arch_init.h unnecessarily 2021-08-26 17:02:00 +01:00
misc Some qemu updates for IPMI and I2C 2021-07-11 14:32:49 +01:00
net hw/net: e1000e: Don't zero out the VLAN tag in the legacy RX descriptor 2021-08-02 12:19:18 +08:00
nios2
nubus
nvme hw/nvme: fix missing variable initializers 2021-08-09 12:52:16 +02:00
nvram
openrisc
pci hw/pci: Add pci_bus_range() to get PCI bus number range 2021-07-16 11:10:45 -04:00
pci-bridge hw/pcie-root-port: Fix hotplug for PCI devices requiring IO 2021-08-03 16:31:07 -04:00
pci-host Revert "acpi/gpex: Inform os to keep firmware resource map" 2021-08-03 16:32:34 -04:00
pcmcia
ppc arch_init.h: Don't include arch_init.h unnecessarily 2021-08-26 17:02:00 +01:00
rdma pvrdma: Fix the ring init error flow (CVE-2021-3608) 2021-07-04 22:47:51 +03:00
remote remote/memory: Replace share parameter with ram_flags 2021-07-20 15:34:20 -04:00
riscv arch_init.h: Don't include arch_init.h unnecessarily 2021-08-26 17:02:00 +01:00
rtc
rx
s390x s390x updates: 2021-07-12 19:15:11 +01:00
scsi virtio: Clarify MR transaction optimization 2021-07-02 11:13:39 -04:00
sd hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 2021-08-03 19:34:51 +02:00
sensor hw/misc: add MAX34451 device 2021-07-08 14:42:00 -05:00
sh4
smbios
sparc hw/block/fdc: Extract SysBus floppy controllers to fdc-sysbus.c 2021-06-25 08:53:28 -04:00
sparc64 hw/block/fdc: Extract ISA floppy controllers to fdc-isa.c 2021-06-25 08:53:28 -04:00
ssi
timer hw/timer: Initial commit of Ibex Timer 2021-06-24 05:00:12 -07:00
tpm
tricore hw/tricore: fix inclusion of tricore_testboard 2021-07-20 20:10:21 +02:00
usb chardev: mark explicitly first argument as poisoned 2021-08-05 16:15:33 +04:00
vfio vfio/pci: Add pba_offset PCI quirk for BAIDU KUNLUN AI processor 2021-07-14 13:47:17 -06:00
virtio chardev: mark explicitly first argument as poisoned 2021-08-05 16:15:33 +04:00
watchdog
xen
xenpv
xtensa
Kconfig sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00
meson.build sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00