[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hyp
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call |
Date: |
Tue, 8 Jul 2014 12:16:35 -0500 |
From: Thomas Huth <address@hidden>
The handler for diag 500 did not check whether the requested function
was in the supported range, so illegal values could crash QEMU in the
worst case.
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Signed-off-by: Christian Borntraeger <address@hidden>
CC: address@hidden
(cherry picked from commit f2c55d1735175ab37ab9f69854460087112d2756)
Signed-off-by: Michael Roth <address@hidden>
---
hw/s390x/s390-virtio-hcall.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/s390x/s390-virtio-hcall.c b/hw/s390x/s390-virtio-hcall.c
index ee62649..0e328d8 100644
--- a/hw/s390x/s390-virtio-hcall.c
+++ b/hw/s390x/s390-virtio-hcall.c
@@ -26,11 +26,14 @@ void s390_register_virtio_hypercall(uint64_t code,
s390_virtio_fn fn)
int s390_virtio_hypercall(CPUS390XState *env)
{
- s390_virtio_fn fn = s390_diag500_table[env->regs[1]];
+ s390_virtio_fn fn;
- if (!fn) {
- return -EINVAL;
+ if (env->regs[1] < MAX_DIAG_SUBCODES) {
+ fn = s390_diag500_table[env->regs[1]];
+ if (fn) {
+ return fn(&env->regs[2]);
+ }
}
- return fn(&env->regs[2]);
+ return -EINVAL;
}
--
1.9.1
- [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), (continued)
- [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 146/156] virtio-net: byteswap virtio-net header, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call,
Michael Roth <=
- [Qemu-devel] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 012/156] mirror: fix throttling delay calculation, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 116/156] qcow1: Make padding in the header explicit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 068/156] migration: catch unknown flags in ram_load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 058/156] stellaris_enet: block migration, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 102/156] dmg: coding style and indentation cleanup, Michael Roth, 2014/07/10