mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-11-05 20:35:44 +00:00
aae0faa5d3
Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:
d = dest + (rom->addr - addr);
and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.
Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| bus.c | ||
| empty_slot.c | ||
| fw-path-provider.c | ||
| generic-loader.c | ||
| hotplug.c | ||
| irq.c | ||
| Kconfig | ||
| loader-fit.c | ||
| loader.c | ||
| machine-hmp-cmds.c | ||
| machine-qmp-cmds.c | ||
| machine.c | ||
| Makefile.objs | ||
| nmi.c | ||
| null-machine.c | ||
| numa.c | ||
| or-irq.c | ||
| platform-bus.c | ||
| ptimer.c | ||
| qdev-fw.c | ||
| qdev-properties-system.c | ||
| qdev-properties.c | ||
| qdev.c | ||
| register.c | ||
| reset.c | ||
| split-irq.c | ||
| stream.c | ||
| sysbus.c | ||
| uboot_image.h | ||
| vm-change-state-handler.c | ||