|
 |
4a2fec |
From 0df9f346cb7d66701c79cb6fa1b187aa603d659b Mon Sep 17 00:00:00 2001
|
|
|
4a2fec |
From: Marcel Apfelbaum <marcel@redhat.com>
|
|
|
4a2fec |
Date: Mon, 15 Jan 2018 10:06:42 +0100
|
|
|
4a2fec |
Subject: [PATCH 09/12] fw_cfg: fix memory corruption when all fw_cfg slots are
|
|
|
4a2fec |
used
|
|
|
4a2fec |
MIME-Version: 1.0
|
|
|
4a2fec |
Content-Type: text/plain; charset=UTF-8
|
|
|
4a2fec |
Content-Transfer-Encoding: 8bit
|
|
|
4a2fec |
|
|
|
4a2fec |
RH-Author: Marcel Apfelbaum <marcel@redhat.com>
|
|
|
4a2fec |
Message-id: <20180115100642.64493-1-marcel@redhat.com>
|
|
|
4a2fec |
Patchwork-id: 78571
|
|
|
4a2fec |
O-Subject: [RHEL-7.5 qemu-kvm-rhev PATCH] fw_cfg: fix memory corruption when all fw_cfg slots are used
|
|
|
4a2fec |
Bugzilla: 1462145
|
|
|
4a2fec |
RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
|
|
|
4a2fec |
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
|
|
|
4a2fec |
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
4a2fec |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
4a2fec |
|
|
|
4a2fec |
When all the fw_cfg slots are used, a write is made outside the
|
|
|
4a2fec |
bounds of the fw_cfg files array as part of the sort algorithm.
|
|
|
4a2fec |
|
|
|
4a2fec |
Fix it by avoiding an unnecessary array element move.
|
|
|
4a2fec |
Fix also an assert while at it.
|
|
|
4a2fec |
|
|
|
4a2fec |
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
|
|
|
4a2fec |
Message-Id: <20180108215007.46471-1-marcel@redhat.com>
|
|
|
4a2fec |
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
4a2fec |
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
4a2fec |
(cherry picked from commit 45eda6c8eb45107630da670bc993074cf85ef64c)
|
|
|
4a2fec |
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
|
|
|
4a2fec |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
4a2fec |
---
|
|
|
4a2fec |
hw/nvram/fw_cfg.c | 6 ++++--
|
|
|
4a2fec |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
4a2fec |
|
|
|
4a2fec |
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
|
|
|
4a2fec |
index 753ac0e..4313484 100644
|
|
|
4a2fec |
--- a/hw/nvram/fw_cfg.c
|
|
|
4a2fec |
+++ b/hw/nvram/fw_cfg.c
|
|
|
4a2fec |
@@ -784,7 +784,7 @@ void fw_cfg_add_file_callback(FWCfgState *s, const char *filename,
|
|
|
4a2fec |
* index and "i - 1" is the one being copied from, thus the
|
|
|
4a2fec |
* unusual start and end in the for statement.
|
|
|
4a2fec |
*/
|
|
|
4a2fec |
- for (i = count + 1; i > index; i--) {
|
|
|
4a2fec |
+ for (i = count; i > index; i--) {
|
|
|
4a2fec |
s->files->f[i] = s->files->f[i - 1];
|
|
|
4a2fec |
s->files->f[i].select = cpu_to_be16(FW_CFG_FILE_FIRST + i);
|
|
|
4a2fec |
s->entries[0][FW_CFG_FILE_FIRST + i] =
|
|
|
4a2fec |
@@ -833,7 +833,6 @@ void *fw_cfg_modify_file(FWCfgState *s, const char *filename,
|
|
|
4a2fec |
assert(s->files);
|
|
|
4a2fec |
|
|
|
4a2fec |
index = be32_to_cpu(s->files->count);
|
|
|
4a2fec |
- assert(index < fw_cfg_file_slots(s));
|
|
|
4a2fec |
|
|
|
4a2fec |
for (i = 0; i < index; i++) {
|
|
|
4a2fec |
if (strcmp(filename, s->files->f[i].name) == 0) {
|
|
|
4a2fec |
@@ -843,6 +842,9 @@ void *fw_cfg_modify_file(FWCfgState *s, const char *filename,
|
|
|
4a2fec |
return ptr;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
}
|
|
|
4a2fec |
+
|
|
|
4a2fec |
+ assert(index < fw_cfg_file_slots(s));
|
|
|
4a2fec |
+
|
|
|
4a2fec |
/* add new one */
|
|
|
4a2fec |
fw_cfg_add_file_callback(s, filename, NULL, NULL, NULL, data, len, true);
|
|
|
4a2fec |
return NULL;
|
|
|
4a2fec |
--
|
|
|
4a2fec |
1.8.3.1
|
|
|
4a2fec |
|