From af9348b27b8bc0c7033527220e7840f4b3209832 Mon Sep 17 00:00:00 2001 From: Jon Maloy Date: Tue, 6 Oct 2020 18:00:53 -0400 Subject: [PATCH 2/2] hw/core/loader: Fix possible crash in rom_copy() RH-Author: Jon Maloy Message-id: <20201006180053.484822-2-jmaloy@redhat.com> Patchwork-id: 98552 O-Subject: [RHEL-7.9.z qemu-kvm PATCH 1/1] hw/core/loader: Fix possible crash in rom_copy() Bugzilla: 1842923 RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Markus Armbruster RH-Acked-by: Thomas Huth From: Thomas Huth Both, "rom->addr" and "addr" are derived from the binary image that can be loaded with the "-kernel" paramer. The code in rom_copy() then calculates: d = dest + (rom->addr - addr); and uses "d" as destination in a memcpy() some lines later. Now with bad kernel images, it is possible that rom->addr is smaller than addr, thus "rom->addr - addr" gets negative and the memcpy() then tries to copy contents from the image to a bad memory location. This could maybe be used to inject code from a kernel image into the QEMU binary, so we better fix it with an additional sanity check here. Cc: qemu-stable@nongnu.org Reported-by: Guangming Liu Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 Message-Id: <20190925130331.27825-1-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin Signed-off-by: Thomas Huth (cherry picked from commit e423455c4f23a1a828901c78fe6d03b7dde79319) Signed-off-by: Jon Maloy Signed-off-by: Jon Maloy --- hw/core/loader.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/core/loader.c b/hw/core/loader.c index 5a15449407..939d0855cb 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -841,7 +841,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size) if (rom->addr + rom->romsize < addr) { continue; } - if (rom->addr > end) { + if (rom->addr > end || rom->addr < addr) { break; } -- 2.18.2