Re: [PATCH 3/3] kvm tools: Add boundry check for rtc cmos index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2011-11-29 at 15:07 +0200, Pekka Enberg wrote:
> On Tue, 29 Nov 2011, Sasha Levin wrote:
> > A guest could overwrite host memory by writing to cmos index bigger than 128.
> >
> > This patch adds a boundry check to limit it to that size.
> >
> > Cc: Alessandro Zummo <a.zummo@xxxxxxxxxxxx>
> > Cc: rtc-linux@xxxxxxxxxxxxxxxx
> > Signed-off-by: Sasha Levin <levinsasha928@xxxxxxxxx>
> > ---
> > tools/kvm/hw/rtc.c |    4 ++++
> > 1 files changed, 4 insertions(+), 0 deletions(-)
> >
> > diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c
> > index fad140f..1471521 100644
> > --- a/tools/kvm/hw/rtc.c
> > +++ b/tools/kvm/hw/rtc.c
> > @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v
> > 		ioport__write8(data, bin2bcd(tm->tm_year));
> > 		break;
> > 	default:
> > +		if (rtc.cmos_idx >= 128)
> > +			break;
> > 		ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]);
> > 		break;
> > 	}
> > @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port,
> > 		/* Read-only */
> > 		break;
> > 	default:
> > +		if (rtc.cmos_idx >= 128)
> > +			break;
> > 		rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data);
> > 		break;
> > 	}
> 
> We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can 
> never be over 127.

Right. Please ignore this patch :)

-- 

Sasha.

--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux