Re: [Qemu-trivial] [Qemu-devel] [PATCH] loader: Check access size when c

qemu-trivial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-trivial] [Qemu-devel] [PATCH] loader: Check access size when c

From:	Thomas Huth
Subject:	Re: [Qemu-trivial] [Qemu-devel] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes
Date:	Fri, 15 Jun 2018 10:33:42 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0

On 15.06.2018 08:58, Thomas Huth wrote:
> The rom_ptr() function allows direct access to the ROM blobs that we
> load during startup. However, there are currently no checks for the
> size of the accesses, so it's currently possible to crash QEMU for
> example with:
> 
> $ echo "Insane in the mainframe" > /tmp/test.txt
> $ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -append xyz
> Segmentation fault (core dumped)
> $ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -initrd /tmp/test.txt
> Segmentation fault (core dumped)
> 
> We need a possibility to check the size of the ROM area that we want
> to access, thus let's add a size parameter to the rom_ptr() function
> to avoid these problems.
[...]
> diff --git a/hw/sparc/sun4m.c b/hw/sparc/sun4m.c
> index 0ee779f..2375cb2 100644
> --- a/hw/sparc/sun4m.c
> +++ b/hw/sparc/sun4m.c
> @@ -272,7 +272,7 @@ static unsigned long sun4m_load_kernel(const char 
> *kernel_filename,
>          }
>          if (initrd_size > 0) {
>              for (i = 0; i < 64 * TARGET_PAGE_SIZE; i += TARGET_PAGE_SIZE) {
> -                ptr = rom_ptr(KERNEL_LOAD_ADDR + i);
> +                ptr = rom_ptr(KERNEL_LOAD_ADDR + i, 24);
>                  if (ldl_p(ptr) == 0x48647253) { // HdrS

Darn, that should check for ptr != NULL ...

>                      stl_p(ptr + 16, INITRD_LOAD_ADDR);
>                      stl_p(ptr + 20, initrd_size);
> diff --git a/hw/sparc64/sun4u.c b/hw/sparc64/sun4u.c
> index 1bede85..8b09090 100644
> --- a/hw/sparc64/sun4u.c
> +++ b/hw/sparc64/sun4u.c
> @@ -186,7 +186,7 @@ static uint64_t sun4u_load_kernel(const char 
> *kernel_filename,
>          }
>          if (*initrd_size > 0) {
>              for (i = 0; i < 64 * TARGET_PAGE_SIZE; i += TARGET_PAGE_SIZE) {
> -                ptr = rom_ptr(*kernel_addr + i);
> +                ptr = rom_ptr(*kernel_addr + i, 32);
>                  if (ldl_p(ptr + 8) == 0x48647253) { /* HdrS */

... dito ...

I'll send a v2.

 Thomas

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-trivial] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes, Thomas Huth, 2018/06/15
- Re: [Qemu-trivial] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes, Cornelia Huck, 2018/06/15
  - Re: [Qemu-trivial] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes, Thomas Huth, 2018/06/15
- Re: [Qemu-trivial] [Qemu-devel] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes, Thomas Huth <=

Prev by Date: Re: [Qemu-trivial] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes
Next by Date: [Qemu-trivial] [PATCH v2] loader: Check access size when calling rom_ptr() to avoid crashes
Previous by thread: Re: [Qemu-trivial] [PATCH] loader: Check access size when calling rom_ptr() to avoid crashes
Next by thread: [Qemu-trivial] [PATCH v2] loader: Check access size when calling rom_ptr() to avoid crashes
Index(es):
- Date
- Thread