qemu/core at stable-4.0 - qemu - Gitea: Git with a cup of tea

mii/qemu

mirror of https://github.com/mii443/qemu.git synced 2025-08-23 07:35:47 +00:00

Files

History

Thomas Huth 4f1c6cb2f9 hw/core/loader: Fix possible crash in rom_copy()

Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:

    d = dest + (rom->addr - addr);

and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.

Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit e423455c4f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

2019-10-01 19:12:53 -05:00

..

bus.c

qdev: pass an Object * to qbus_set_hotplug_handler()

2019-02-17 21:54:02 +11:00

empty_slot.c

core/empty_slot: Convert sysbus init function to realize function

2018-12-13 13:47:57 +00:00

fw-path-provider.c

hw/core: Clean up includes

2016-01-29 15:07:25 +00:00

generic-loader.c

elf: Add optional function ptr to load_elf() to parse ELF notes

2019-02-05 16:50:16 +01:00

hotplug.c

call HotplugHandler->plug() as the last step in device realization

2018-10-19 13:44:12 +02:00

irq.c

tcg: drop global lock during TCG code execution

2017-02-24 10:32:45 +00:00

Kconfig

kconfig: introduce kconfig files

2019-03-07 21:45:53 +01:00

loader-fit.c

hw: Use IEC binary prefix definitions from "qemu/units.h"

2018-07-02 15:41:10 +02:00

loader.c

hw/core/loader: Fix possible crash in rom_copy()

2019-10-01 19:12:53 -05:00

machine.c

virtio-balloon: fix QEMU 4.0 config size migration incompatibility

2019-10-01 16:58:28 -05:00

Makefile.objs

hw/core: Move null-machine into the common-obj list

2018-10-24 07:27:25 +01:00

nmi.c

nmi: remove x86 specific nmi handling

2016-05-23 16:53:46 +02:00

null-machine.c

hw/core: Move null-machine into the common-obj list

2018-10-24 07:27:25 +01:00

or-irq.c

hw/core/or-irq: Support more than 16 inputs to an OR gate

2018-06-15 15:23:34 +01:00

platform-bus.c

hw: Do not include "exec/address-spaces.h" if it is not necessary

2018-06-01 14:15:10 +02:00

ptimer.c

ptimer: Add TRIGGER_ONLY_ON_DECREMENT policy option

2018-07-09 14:51:34 +01:00

qdev-fw.c

linux-user: remove nmi.c and fw-path-provider.c

2018-01-23 14:20:52 +01:00

qdev-properties-system.c

hw: set_netdev: remove useless code

2018-12-11 18:28:46 +01:00

qdev-properties.c

qdev-props: call object_apply_global_props()

2019-01-07 16:18:42 +04:00

qdev.c

qom: Move compat_props machinery from qdev to QOM

2019-03-11 22:53:44 +01:00

register.c

hw/core/register: Add trailing '\n' to qemu_log() call

2018-06-08 13:15:33 +01:00

reset.c

qemu/queue.h: leave head structs anonymous unless necessary

2019-01-11 15:46:55 +01:00

split-irq.c

hw/core/split-irq: Device that splits IRQ lines

2018-03-02 11:03:45 +00:00

stream.c

hw/core: Clean up includes

2016-01-29 15:07:25 +00:00

sysbus.c

sysbus: Fix latent bug with onboard devices

2019-03-11 22:53:44 +01:00

uboot_image.h

Support u-boot noload images for arm as used by, NetBSD/evbarm GENERIC kernel.

2019-01-07 15:46:20 +00:00