5eb0b194e9
cadence_uart_init() initializes an I/O memory region of size 0x1000 bytes. However in uart_write(), the 'offset' parameter (offset within region) is divided by 4 and then used to index the array 'r' of size CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory write where the offset and the value are controlled by guest. This will corrupt QEMU memory, in most situations this causes the vm to crash. Fix by checking the offset against the array size. Cc: qemu-stable@nongnu.org Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 20160418100735.GA517@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
||
---|---|---|
.. | ||
bcm2835_aux.c | ||
cadence_uart.c | ||
debugcon.c | ||
digic-uart.c | ||
escc.c | ||
etraxfs_ser.c | ||
exynos4210_uart.c | ||
grlib_apbuart.c | ||
imx_serial.c | ||
ipoctal232.c | ||
lm32_juart.c | ||
lm32_uart.c | ||
Makefile.objs | ||
mcf_uart.c | ||
milkymist-uart.c | ||
omap_uart.c | ||
parallel.c | ||
pl011.c | ||
sclpconsole-lm.c | ||
sclpconsole.c | ||
serial-isa.c | ||
serial-pci.c | ||
serial.c | ||
sh_serial.c | ||
spapr_vty.c | ||
stm32f2xx_usart.c | ||
virtio-console.c | ||
virtio-serial-bus.c | ||
xen_console.c | ||
xilinx_uartlite.c |