[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 25/50] multiboot: validate multiboot header address v
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PULL 25/50] multiboot: validate multiboot header address values |
|
Date: |
Tue, 19 Sep 2017 14:29:14 +0200 |
From: Prasad J Pandit <address@hidden>
While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
the kernel image. These addresses are used to compute kernel
size and kernel text offset in the OS image. Validate these
address values to avoid an OOB access issue.
This is CVE-2017-14167.
Reported-by: Thomas Garnier <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/i386/multiboot.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index 6001f4c..c7b70c9 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
uint32_t mh_header_addr = ldl_p(header+i+12);
uint32_t mh_load_end_addr = ldl_p(header+i+20);
uint32_t mh_bss_end_addr = ldl_p(header+i+24);
+
mh_load_addr = ldl_p(header+i+16);
+ if (mh_header_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_load_addr address\n");
+ exit(1);
+ }
+
uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
uint32_t mb_load_size = 0;
mh_entry_addr = ldl_p(header+i+28);
if (mh_load_end_addr) {
+ if (mh_bss_end_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_bss_end_addr address\n");
+ exit(1);
+ }
mb_kernel_size = mh_bss_end_addr - mh_load_addr;
+
+ if (mh_load_end_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_load_end_addr address\n");
+ exit(1);
+ }
mb_load_size = mh_load_end_addr - mh_load_addr;
} else {
+ if (kernel_file_size < mb_kernel_text_offset) {
+ fprintf(stderr, "invalid kernel_file_size\n");
+ exit(1);
+ }
mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
mb_load_size = mb_kernel_size;
}
--
1.8.3.1
- [Qemu-devel] [PULL 18/50] i386/kvm: use a switch statement for MSR detection, (continued)
- [Qemu-devel] [PULL 18/50] i386/kvm: use a switch statement for MSR detection, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 19/50] i386/kvm: set tsc_khz before configuring Hyper-V CPUID, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 29/50] kvm: we never have overlapping slots in kvm_set_phys_mem(), Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 30/50] kvm: kvm_log_start/stop are only called with known sections, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 28/50] kvm: use start + size for memory ranges, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 21/50] i386/kvm: advertise Hyper-V frequency MSRs, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 22/50] MAINTAINERS: update email, add missing test entry for megasas, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 24/50] scsi/esp: Rename the ESP macro to ESP_STATE, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 27/50] kvm: factor out alignment of memory section, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 31/50] kvm: kvm_log_sync() is only called with known memory sections, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 25/50] multiboot: validate multiboot header address values,
Paolo Bonzini <=
- [Qemu-devel] [PULL 32/50] test-qga: add missing qemu-ga tool dependency, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 26/50] kvm: require JOIN_MEMORY_REGIONS_WORKS, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 23/50] memory: Rename queue to mrqueue (memory region queue), Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 13/50] scsi: move non-emulation specific code to scsi/, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 33/50] hw/i386: Improve some of the warning messages, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 35/50] Convert single line fprintf(.../n) to warn_report(), Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 38/50] target/mips: Convert VM clock update prints to warn_report, Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 36/50] Convert multi-line fprintf() to warn_report(), Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 34/50] Convert remaining error_report() to warn_report(), Paolo Bonzini, 2017/09/19
- [Qemu-devel] [PULL 42/50] hyperv: add header with protocol definitions, Paolo Bonzini, 2017/09/19