kvmvapic: Prevent reading beyond the end of guest RAM

rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) + writen 16-bit value) and can be influenced to point beyond the end of the host memory backing the guest's RAM. Make sure we do not use this pointer to actually read beyond the limits. Reading arbitrary guest bytes is harmless, the guest kernel has to manage access to this I/O port anyway. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com> Acked-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Gleb Natapov <gleb@redhat.com>

kvmvapic: Prevent reading beyond the end of guest RAM
rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) + writen 16-bit value) and can be influenced to point beyond the end of the host memory backing the guest's RAM. Make sure we do not use this pointer to actually read beyond the limits. Reading arbitrary guest bytes is harmless, the guest kernel has to manage access to this I/O port anyway. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com> Acked-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Gleb Natapov <gleb@redhat.com>
7174e54c · Jan Kiszka · Gleb Natapov · 2560f19f · 7174e54c
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

hw/i386/kvmvapic.c hw/i386/kvmvapic.c +3 -0

未找到文件。
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
    section = memory_region_find(as, 0, 1);

    /* read ROM size from RAM region */
+    if (rom_paddr + 2 >= memory_region_size(section.mr)) {
+        return -1;
+    }
    ram = memory_region_get_ram_ptr(section.mr);
    rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
    if (rom_size == 0) {