mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0f0f8b611e
qemu/include/hw
History
Thomas Huth 0f0f8b611e loader: Check access size when calling rom_ptr() to avoid crashes 
The rom_ptr() function allows direct access to the ROM blobs that we
load during startup. However, there are currently no checks for the
size of the accesses, so it's currently possible to crash QEMU for
example with:

$ echo "Insane in the mainframe" > /tmp/test.txt
$ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -append xyz
Segmentation fault (core dumped)
$ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -initrd /tmp/test.txt
Segmentation fault (core dumped)
$ echo -n HdrS > /tmp/hdr.txt
$ sparc64-softmmu/qemu-system-sparc64 -kernel /tmp/hdr.txt -initrd /tmp/hdr.txt
Segmentation fault (core dumped)

We need a possibility to check the size of the ROM area that we want
to access, thus let's add a size parameter to the rom_ptr() function
to avoid these problems.

Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1530005740-25254-1-git-send-email-thuth@redhat.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-07-02 10:37:38 +02:00
..
acpi hw/arm/virt-acpi-build: Add smmuv3 node in IORT table 2018-05-04 18:52:58 +01:00
adc
arm hw/arm/smmuv3: Add notifications on invalidation 2018-06-26 17:50:42 +01:00
audio hw/audio/wm8750: move WM8750 declarations from i2c/i2c.h to audio/wm8750.h 2018-02-02 08:19:25 +01:00
block block: Remove deprecated -drive option serial 2018-06-15 14:49:44 +02:00
char serial-isa: Use MAX_ISA_SERIAL_PORTS instead of MAX_SERIAL_PORTS 2018-04-26 13:57:00 +01:00
core hw/core/split-irq: Device that splits IRQ lines 2018-03-02 11:03:45 +00:00
cpu
cris
display hw/display: add standalone ramfb device 2018-06-18 11:22:15 +02:00
dma hw: Do not include "exec/address-spaces.h" if it is not necessary 2018-06-01 14:15:10 +02:00
gpio
i2c ppc4xx_i2c: Implement directcntl register 2018-06-21 21:22:53 +10:00
i386 hmp: obsolete "info ioapic" 2018-06-28 19:05:37 +02:00
ide ide: introduce ide_transfer_start_norecurse 2018-06-08 13:36:31 -04:00
input adb: add property to disable direct reg 3 writes 2018-06-16 16:32:33 +10:00
intc hw/intc/arm_gicv3: Introduce redist-region-count array property 2018-06-22 13:28:36 +01:00
ipack
ipmi
isa superio: Don't use MAX_SERIAL_PORTS for serial port limit 2018-04-26 13:57:00 +01:00
kvm
lm32
m68k
mem pc-dimm: get_memory_region() will not fail after realize 2018-06-28 19:05:34 +02:00
mips
misc aspeed/scu: introduce clock frequencies 2018-06-26 17:50:42 +01:00
net ftgmac100: compute maximum frame size depending on the protocol 2018-06-08 13:15:32 +01:00
nvram Clean up includes 2018-02-09 05:05:11 +01:00
pci allocate pci id for mdpy 2018-05-23 03:14:40 +03:00
pci-bridge Clean up includes 2018-02-09 05:05:11 +01:00
pci-host uninorth: remove token register from uninorth device 2018-06-12 09:33:52 +10:00
ppc spapr: Use maximum page size capability to simplify memory backend checking 2018-06-22 14:19:07 +10:00
riscv RISC-V: Make virt header comment title consistent 2018-05-06 10:39:38 +12:00
s390x s390x: refactor reset/reipl handling 2018-05-14 17:10:02 +02:00
scsi Block layer patches: 2018-06-29 18:29:15 +01:00
sd sdcard: Reflect when the Spec v3 is supported in the Config Register (SCR) 2018-06-08 13:15:34 +01:00
sh4 hw: Do not include "exec/address-spaces.h" if it is not necessary 2018-06-01 14:15:10 +02:00
smbios Move include qemu/option.h from qemu-common.h to actual users 2018-02-09 13:52:16 +01:00
sparc sun4u_iommu: update to reflect IOMMU is no longer part of the APB device 2018-01-09 21:48:20 +00:00
ssi xilinx_spips: Make dma transactions as per dma_burst_size 2018-06-26 17:50:39 +01:00
timer aspeed/timer: use the APB frequency from the SCU 2018-06-26 17:50:42 +01:00
tricore
unicore32
usb usb: Add basic code to emulate Chipidea USB IP 2018-02-09 10:40:30 +00:00
vfio vfio: remove DPRINTF() definition from vfio-common.h 2018-06-05 08:23:16 -06:00
virtio virtio-gpu-3d: Drop workaround for VIRTIO_GPU_CAPSET_VIRGL2 define 2018-06-26 16:04:17 +02:00
watchdog
xen compiler: add a sizeof_field() macro 2018-06-27 13:01:40 +01:00
xtensa Clean up includes 2018-02-09 05:05:11 +01:00
boards.h hw/i386: Deprecate the machine types pc-0.10 and pc-0.11 2018-06-25 14:10:01 -03:00
bt.h
compat.h audio/hda: enable new timer code by default. 2018-06-25 13:57:57 +02:00
devices.h hw: Clean "hw/devices.h" includes 2018-06-01 14:15:10 +02:00
elf_ops.h Add symbol table callback interface to load_elf 2018-03-07 08:30:28 +13:00
empty_slot.h
fw-path-provider.h
hotplug.h
hw.h
ide.h
irq.h hw/core/split-irq: Device that splits IRQ lines 2018-03-02 11:03:45 +00:00
loader-fit.h Use #include "..." for our own headers, <...> for others 2018-02-09 05:05:11 +01:00
loader.h loader: Check access size when calling rom_ptr() to avoid crashes 2018-07-02 10:37:38 +02:00
nmi.h
or-irq.h hw/core/or-irq: Support more than 16 inputs to an OR gate 2018-06-15 15:23:34 +01:00
pcmcia.h
platform-bus.h platform-bus-device: use device plug callback instead of machine_done notifier 2018-05-10 18:10:56 +01:00
ptimer.h
qdev-core.h qdev: Remove DeviceClass::init() and ::exit() 2018-06-01 15:14:31 +02:00
qdev-dma.h
qdev-properties.h net: Remove the deprecated "vlan" parameter 2018-05-14 15:47:14 +08:00
qdev.h
register.h hw: register: Run post_write hook on reset 2018-03-01 11:05:43 +00:00
registerfields.h Use #include "..." for our own headers, <...> for others 2018-02-09 05:05:11 +01:00
stream.h
sysbus.h
usb.h usb: Remove legacy -usbdevice options (host, serial, disk and net) 2018-01-26 07:15:08 +01:00