haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw/s390x
History
Thomas Huth 0f0f8b611e loader: Check access size when calling rom_ptr() to avoid crashes 
The rom_ptr() function allows direct access to the ROM blobs that we
load during startup. However, there are currently no checks for the
size of the accesses, so it's currently possible to crash QEMU for
example with:

$ echo "Insane in the mainframe" > /tmp/test.txt
$ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -append xyz
Segmentation fault (core dumped)
$ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -initrd /tmp/test.txt
Segmentation fault (core dumped)
$ echo -n HdrS > /tmp/hdr.txt
$ sparc64-softmmu/qemu-system-sparc64 -kernel /tmp/hdr.txt -initrd /tmp/hdr.txt
Segmentation fault (core dumped)

We need a possibility to check the size of the ROM area that we want
to access, thus let's add a size parameter to the rom_ptr() function
to avoid these problems.

Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1530005740-25254-1-git-send-email-thuth@redhat.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-07-02 10:37:38 +02:00
..
3270-ccw.c s390x/css: unrestrict cssids 2017-12-14 17:56:54 +01:00
ccw-device.c s390x/ccw: make sure all ccw devices are properly reset 2018-05-14 17:10:02 +02:00
ccw-device.h s390x: vmstatify config migration for virtio-ccw 2017-07-05 12:16:55 +02:00
css-bridge.c s390x/css: attach css bridge 2017-12-14 17:56:54 +01:00
css.c vfio-ccw: remove orb.c64 (64 bit data addresses) check 2018-06-18 10:50:32 +02:00
event-facility.c hw/s390x: Allow to configure the consoles with the "-serial" parameter 2018-04-30 10:48:29 +02:00
ipl.c loader: Check access size when calling rom_ptr() to avoid crashes 2018-07-02 10:37:38 +02:00
ipl.h s390x: refactor reset/reipl handling 2018-05-14 17:10:02 +02:00
Makefile.objs s390x: get rid of s390-virtio.c 2017-09-19 18:31:31 +02:00
s390-ccw.c use g_path_get_basename instead of basename 2018-03-06 14:01:29 +01:00
s390-pci-bus.c iommu: Add IOMMU index argument to translate method 2018-06-15 15:23:34 +01:00
s390-pci-bus.h s390x/pci: fixup global refresh 2018-02-09 09:37:13 +01:00
s390-pci-inst.c iommu: Add IOMMU index argument to notifier APIs 2018-06-15 15:23:34 +01:00
s390-pci-inst.h s390x/pci: rework PCI STORE BLOCK 2017-12-14 17:56:54 +01:00
s390-pci-stub.c s390x/pci: remove idx from msix msg data 2017-09-19 18:21:32 +02:00
s390-skeys-kvm.c s390x/s390-skeys: Mark the storage key devices with user_creatable = false 2017-08-30 18:23:25 +02:00
s390-skeys.c qapi: Empty out qapi-schema.json 2018-03-02 13:45:50 -06:00
s390-stattrib-kvm.c s390x: fix storage attributes migration for non-small guests 2018-01-22 11:04:52 +01:00
s390-stattrib.c migration: introduce postcopy-only pending 2018-03-13 17:05:41 -04:00
s390-virtio-ccw.c hw/s390x: Rename 2.13 machines to 3.0 2018-05-29 11:28:46 +01:00
s390-virtio-hcall.c s390x: rename s390-virtio.h to s390-virtio-hcall.h 2017-09-19 18:31:31 +02:00
s390-virtio-hcall.h s390/kvm_virtio/linux-headers: remove traces of old virtio transport 2017-11-24 10:52:05 +01:00
sclp.c s390x/sclp: remove memory hotplug support 2018-02-26 12:55:26 +01:00
sclpcpu.c s390x/sclp: clean up sclp masks 2018-03-08 15:49:23 +01:00
sclpquiesce.c s390x/sclp: clean up sclp masks 2018-03-08 15:49:23 +01:00
trace-events trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
virtio-ccw.c virtio-ccw: clean up notify 2018-06-18 10:50:32 +02:00
virtio-ccw.h s390x/ccw: make sure all ccw devices are properly reset 2018-05-14 17:10:02 +02:00