Re: [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Sep 30, 2013 at 12:35:13PM +0200, Jan Kiszka wrote:
> rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
> writen 16-bit value) and can be influenced to point beyond the end of
> the host memory backing the guest's RAM. Make sure we do not use this
> pointer to actually read beyond the limits.
> 
> Reading arbitrary guest bytes is harmless, the guest kernel has to
> manage access to this I/O port anyway.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>

Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

> ---
>  hw/i386/kvmvapic.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
> index 1c2dbf5..2d87600 100644
> --- a/hw/i386/kvmvapic.c
> +++ b/hw/i386/kvmvapic.c
> @@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
>      section = memory_region_find(as, 0, 1);
>  
>      /* read ROM size from RAM region */
> +    if (rom_paddr + 2 >= memory_region_size(section.mr)) {
> +        return -1;
> +    }
>      ram = memory_region_get_ram_ptr(section.mr);
>      rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
>      if (rom_size == 0) {
> -- 
> 1.8.1.1.298.ge7eed54
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux