From patchwork Tue Sep 3 16:08:50 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 2853285 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 046C39F3DC for ; Tue, 3 Sep 2013 16:09:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DF0FD20425 for ; Tue, 3 Sep 2013 16:09:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AA26D2041D for ; Tue, 3 Sep 2013 16:09:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756892Ab3ICQJN (ORCPT ); Tue, 3 Sep 2013 12:09:13 -0400 Received: from david.siemens.de ([192.35.17.14]:24488 "EHLO david.siemens.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756851Ab3ICQJL (ORCPT ); Tue, 3 Sep 2013 12:09:11 -0400 Received: from mail1.siemens.de (localhost [127.0.0.1]) by david.siemens.de (8.13.6/8.13.6) with ESMTP id r83G8rpO032196; Tue, 3 Sep 2013 18:08:53 +0200 Received: from mchn199C.mchp.siemens.de.de ([139.25.40.156]) by mail1.siemens.de (8.13.6/8.13.6) with ESMTP id r83G8r5T018026; Tue, 3 Sep 2013 18:08:53 +0200 From: Jan Kiszka To: Paolo Bonzini , Gleb Natapov Cc: qemu-devel , kvm@vger.kernel.org, "Zhanghaoyu (A)" , "Huangweidong (C)" , Luonengjun , "Michael S. Tsirkin" , Eric Blake , qemu-stable@nongnu.org Subject: [uq/master][PATCH 1/3] kvmvapic: Catch invalid ROM size Date: Tue, 3 Sep 2013 18:08:50 +0200 Message-Id: <991fd3f5105a4e31999a6b5086b6057fd6b6dc07.1378224531.git.jan.kiszka@siemens.com> X-Mailer: git-send-email 1.8.1.1.298.ge7eed54 In-Reply-To: References: In-Reply-To: References: Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-9.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If not caught early, a zero-length ROM will cause a NULL-pointer access later on in patch_hypercalls when allocating a zero-length ROM copy and trying to read from it. CC: qemu-stable@nongnu.org Signed-off-by: Jan Kiszka --- hw/i386/kvmvapic.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c index 15beb80..7ac0fe1 100644 --- a/hw/i386/kvmvapic.c +++ b/hw/i386/kvmvapic.c @@ -578,7 +578,7 @@ static int patch_hypercalls(VAPICROMState *s) * enable write access to the option ROM so that variables can be updated by * the guest. */ -static void vapic_map_rom_writable(VAPICROMState *s) +static int vapic_map_rom_writable(VAPICROMState *s) { hwaddr rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK; MemoryRegionSection section; @@ -599,6 +599,9 @@ static void vapic_map_rom_writable(VAPICROMState *s) /* read ROM size from RAM region */ ram = memory_region_get_ram_ptr(section.mr); rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE; + if (rom_size == 0) { + return -1; + } s->rom_size = rom_size; /* We need to round to avoid creating subpages @@ -612,11 +615,15 @@ static void vapic_map_rom_writable(VAPICROMState *s) memory_region_add_subregion_overlap(as, rom_paddr, &s->rom, 1000); s->rom_mapped_writable = true; memory_region_unref(section.mr); + + return 0; } static int vapic_prepare(VAPICROMState *s) { - vapic_map_rom_writable(s); + if (vapic_map_rom_writable(s) < 0) { + return -1; + } if (patch_hypercalls(s) < 0) { return -1;