[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 14/20] virtio-serial: fix heapover-flow
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PULL 14/20] virtio-serial: fix heapover-flow |
|
Date: |
Fri, 6 Apr 2018 19:11:15 +0200 |
From: linzhecheng <address@hidden>
Check device having the feature of VIRTIO_CONSOLE_F_EMERG_WRITE before
get config->emerg_wr. It is neccessary because sizeof(virtio_console_config)
is 8 byte if VirtIOSerial doesn't have the feature of
VIRTIO_CONSOLE_F_EMERG_WRITE(see virtio_serial_device_realize),
read/write emerg_wr will lead to heap-over-flow.
Signed-off-by: linzhecheng <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/char/virtio-serial-bus.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index 9470bd7..d2dd8ab 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -580,13 +580,16 @@ static void set_config(VirtIODevice *vdev, const uint8_t
*config_data)
VirtIOSerial *vser = VIRTIO_SERIAL(vdev);
struct virtio_console_config *config =
(struct virtio_console_config *)config_data;
- uint8_t emerg_wr_lo = le32_to_cpu(config->emerg_wr);
VirtIOSerialPort *port = find_first_connected_console(vser);
VirtIOSerialPortClass *vsc;
+ uint8_t emerg_wr_lo;
- if (!config->emerg_wr) {
+ if (!virtio_has_feature(vser->host_features,
+ VIRTIO_CONSOLE_F_EMERG_WRITE) || !config->emerg_wr) {
return;
}
+
+ emerg_wr_lo = le32_to_cpu(config->emerg_wr);
/* Make sure we don't misdetect an emergency write when the guest
* does a short config write after an emergency write. */
config->emerg_wr = 0;
--
1.8.3.1
- [Qemu-devel] [PULL 05/20] target/i386: WHPX: set CPUID_EXT_HYPERVISOR bit, (continued)
- [Qemu-devel] [PULL 05/20] target/i386: WHPX: set CPUID_EXT_HYPERVISOR bit, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 02/20] target/i386: Fix andn instruction, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 06/20] i386/hyperv: add hv-frequencies cpu property, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 07/20] i386/hyperv: error out if features requested but unsupported, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 08/20] configure: Add missing configure options to help text, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 09/20] scsi-disk: Don't enlarge min_io_size to max_io_size, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 11/20] hw/scsi: support SCSI-2 passthrough without PI, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 12/20] hw/dma/i82374: Avoid double creation of the 82374 controller, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 10/20] scsi-disk: allow customizing the SCSI version, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 13/20] kvmclock: fix clock_is_reliable on migration from QEMU < 2.9, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 14/20] virtio-serial: fix heapover-flow,
Paolo Bonzini <=
- [Qemu-devel] [PULL 15/20] qemu-pr-helper: Daemonize before dropping privileges, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 16/20] qemu-pr-helper: Write pidfile more often, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 17/20] device-crash-test: Remove fixed isa-fdc entry, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 18/20] dump: Fix build with newer gcc, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 20/20] Add missing bit for SSE instr in VEX decoding, Paolo Bonzini, 2018/04/06
- [Qemu-devel] [PULL 19/20] maint: Add .mailmap entries for patches claiming list authorship, Paolo Bonzini, 2018/04/06
- Re: [Qemu-devel] [PULL 00/20] Miscellaneous patches for QEMU 2.12-rc, Peter Maydell, 2018/04/09