Re: [Qemu-devel] [PATCH] m25p80: prevent buffer overflow during erasing

[mar.krzeminski]

W dniu 15.01.2018 o 16:13, Aleksey Kuleshov pisze:
> memset is not checked, so it's possible to go beyond the storage.
> Add checks and truncate requested length.
>
> Signed-off-by: Aleksey Kuleshov <address@hidden>

Acked-by: Marcin Krzemiński<address@hidden>

> ---
>   hw/block/m25p80.c | 10 ++++++++++
>   1 file changed, 10 insertions(+)
>
> diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
> index ea142160b3..18ec501912 100644
> --- a/hw/block/m25p80.c
> +++ b/hw/block/m25p80.c
> @@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
>       uint32_t len;
>       uint8_t capa_to_assert = 0;
>   
> +    assert(0 <= offset && offset < s->size);
> +
>       switch (cmd) {
>       case ERASE_4K:
>       case ERASE4_4K:
> @@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
>           qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n");
>           return;
>       }
> +
> +    if (offset + len > s->size) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                            "M25P80: trying to erase beyond the flash size! "
> +                            "Truncating the length...\n");
> +        len = s->size - offset;
> +    }
> +
>       memset(s->storage + offset, 0xff, len);
>       flash_sync_area(s, offset, len);
>   }