Google Git
Sign in
fuchsia / third_party / qemu / 5b7236f7256974d9c0286fa4837aa5e15ef5c629
commit5b7236f7256974d9c0286fa4837aa5e15ef5c629[log] [tgz]
authorMichael S. Tsirkin <mst@redhat.com>Mon Apr 18 13:07:35 2016 +0300
committerMichael Roth <mdroth@linux.vnet.ibm.com>Mon May 09 11:55:58 2016 -0500
tree8658d0e4046c0a47ec84b903feccdeffd0edd807
parent0bcdb632f871fc5c80ded99e52445da35a8eaaa7 [diff]
cadence_uart: bounds check write offset

cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 5eb0b194e9b01ba0f3613e6ddc2cb9f63ce96ae5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1 file changed
tree: 8658d0e4046c0a47ec84b903feccdeffd0edd807
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. contrib/
  6. crypto/
  7. default-configs/
  8. disas/
  9. docs/
  10. fpu/
  11. fsdev/
  12. gdb-xml/
  13. hw/
  14. include/
  15. libdecnumber/
  16. linux-headers/
  17. linux-user/
  18. migration/
  19. net/
  20. pc-bios/
  21. po/
  22. qapi/
  23. qga/
  24. qobject/
  25. qom/
  26. replay/
  27. roms/
  28. scripts/
  29. slirp/
  30. stubs/
  31. target-alpha/
  32. target-arm/
  33. target-cris/
  34. target-i386/
  35. target-lm32/
  36. target-m68k/
  37. target-microblaze/
  38. target-mips/
  39. target-moxie/
  40. target-openrisc/
  41. target-ppc/
  42. target-s390x/
  43. target-sh4/
  44. target-sparc/
  45. target-tilegx/
  46. target-tricore/
  47. target-unicore32/
  48. target-xtensa/
  49. tcg/
  50. tests/
  51. trace/
  52. ui/
  53. util/
  54. dtc
  55. pixman
  56. .dir-locals.el
  57. .exrc
  58. .gitignore
  59. .gitmodules
  60. .mailmap
  61. .travis.yml
  62. accel.c
  63. aio-posix.c
  64. aio-win32.c
  65. arch_init.c
  66. async.c
  67. balloon.c
  68. block.c
  69. blockdev-nbd.c
  70. blockdev.c
  71. blockjob.c
  72. bootdevice.c
  73. bt-host.c
  74. bt-vhci.c
  75. Changelog
  76. CODING_STYLE
  77. configure
  78. COPYING
  79. COPYING.LIB
  80. cpu-exec-common.c
  81. cpu-exec.c
  82. cpus.c
  83. cputlb.c
  84. device-hotplug.c
  85. device_tree.c
  86. disas.c
  87. dma-helpers.c
  88. dump.c
  89. exec.c
  90. gdbstub.c
  91. HACKING
  92. hmp-commands-info.hx
  93. hmp-commands.hx
  94. hmp.c
  95. hmp.h
  96. iohandler.c
  97. ioport.c
  98. iothread.c
  99. kvm-all.c
  100. kvm-stub.c
  101. LICENSE
  102. main-loop.c
  103. MAINTAINERS
  104. Makefile
  105. Makefile.objs
  106. Makefile.target
  107. memory.c
  108. memory_mapping.c
  109. module-common.c
  110. monitor.c
  111. nbd.c
  112. numa.c
  113. os-posix.c
  114. os-win32.c
  115. page_cache.c
  116. qapi-schema.json
  117. qdev-monitor.c
  118. qdict-test-data.txt
  119. qemu-bridge-helper.c
  120. qemu-char.c
  121. qemu-doc.texi
  122. qemu-ga.texi
  123. qemu-img-cmds.hx
  124. qemu-img.c
  125. qemu-img.texi
  126. qemu-io-cmds.c
  127. qemu-io.c
  128. qemu-log.c
  129. qemu-nbd.c
  130. qemu-nbd.texi
  131. qemu-options-wrapper.h
  132. qemu-options.h
  133. qemu-options.hx
  134. qemu-seccomp.c
  135. qemu-tech.texi
  136. qemu-timer.c
  137. qemu.nsi
  138. qemu.sasl
  139. qjson.c
  140. qmp-commands.hx
  141. qmp.c
  142. qtest.c
  143. README
  144. rules.mak
  145. softmmu_template.h
  146. spice-qemu-char.c
  147. tcg-runtime.c
  148. tci.c
  149. thread-pool.c
  150. thunk.c
  151. tpm.c
  152. trace-events
  153. translate-all.c
  154. translate-all.h
  155. translate-common.c
  156. user-exec.c
  157. VERSION
  158. version.rc
  159. vl.c
  160. xen-common-stub.c
  161. xen-common.c
  162. xen-hvm-stub.c
  163. xen-hvm.c
  164. xen-mapcache.c