On Tue, 29 Nov 2011, Sasha Levin wrote:
A guest could overwrite host memory by writing to cmos index bigger than 128. This patch adds a boundry check to limit it to that size. Cc: Alessandro Zummo <a.zummo@xxxxxxxxxxxx> Cc: rtc-linux@xxxxxxxxxxxxxxxx Signed-off-by: Sasha Levin <levinsasha928@xxxxxxxxx> --- tools/kvm/hw/rtc.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c index fad140f..1471521 100644 --- a/tools/kvm/hw/rtc.c +++ b/tools/kvm/hw/rtc.c @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v ioport__write8(data, bin2bcd(tm->tm_year)); break; default: + if (rtc.cmos_idx >= 128) + break; ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); break; } @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port, /* Read-only */ break; default: + if (rtc.cmos_idx >= 128) + break; rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); break; }
We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can never be over 127.
Pekka -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
