[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from
From: |
Andreas Färber |
Subject: |
Re: [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server |
Date: |
Mon, 14 Apr 2014 18:27:54 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 |
Am 14.04.2014 16:26, schrieb Peter Maydell:
> On 31 March 2014 08:08, Stefan Hajnoczi <address@hidden> wrote:
>> Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
>> server on the host sends invalid values.
>>
>> Cc: Cam Macdonell <address@hidden>
>> Reported-by: Sebastian Krahmer <address@hidden>
>> Signed-off-by: Stefan Hajnoczi <address@hidden>
>> ---
>> hw/misc/ivshmem.c | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
>> index 78363ce..25c22b7 100644
>> --- a/hw/misc/ivshmem.c
>> +++ b/hw/misc/ivshmem.c
>> @@ -383,6 +383,9 @@ static void close_guest_eventfds(IVShmemState *s, int
>> posn)
>> if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
>> return;
>> }
>> + if (posn < 0 || posn > s->nb_peers) {
>> + return;
>> + }
>>
>> guest_curr_max = s->peers[posn].nb_eventfds;
>
> Shouldn't the upper bound check be checking ">=", not ">" ?
Indeed, looks like it. We're allocating s->nb_peers * sizeof(Peer) in
increase_dynamic_storage() just below.
Regards,
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg