[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-upstream-unstable] kvmvapic: Catch invalid ROM size
commit 50b31e80525d03ef406a8c9f55ff2ae1655a3b66 Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx> AuthorDate: Tue Sep 3 18:08:50 2013 +0200 Commit: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx> CommitDate: Tue Sep 24 22:53:49 2013 -0500 kvmvapic: Catch invalid ROM size If not caught early, a zero-length ROM will cause a NULL-pointer access later on in patch_hypercalls when allocating a zero-length ROM copy and trying to read from it. CC: qemu-stable@xxxxxxxxxx Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> (cherry picked from commit 18e5eec4db96a00907eb588a2b803401637c7f67) Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx> --- hw/i386/kvmvapic.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c index 15beb80..7ac0fe1 100644 --- a/hw/i386/kvmvapic.c +++ b/hw/i386/kvmvapic.c @@ -578,7 +578,7 @@ static int patch_hypercalls(VAPICROMState *s) * enable write access to the option ROM so that variables can be updated by * the guest. */ -static void vapic_map_rom_writable(VAPICROMState *s) +static int vapic_map_rom_writable(VAPICROMState *s) { hwaddr rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK; MemoryRegionSection section; @@ -599,6 +599,9 @@ static void vapic_map_rom_writable(VAPICROMState *s) /* read ROM size from RAM region */ ram = memory_region_get_ram_ptr(section.mr); rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE; + if (rom_size == 0) { + return -1; + } s->rom_size = rom_size; /* We need to round to avoid creating subpages @@ -612,11 +615,15 @@ static void vapic_map_rom_writable(VAPICROMState *s) memory_region_add_subregion_overlap(as, rom_paddr, &s->rom, 1000); s->rom_mapped_writable = true; memory_region_unref(section.mr); + + return 0; } static int vapic_prepare(VAPICROMState *s) { - vapic_map_rom_writable(s); + if (vapic_map_rom_writable(s) < 0) { + return -1; + } if (patch_hypercalls(s) < 0) { return -1; -- generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |