haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw/core
History
Peter Maydell 312c496a95 hw/core/loader: In gunzip(), check index is in range before use, not after 
The gunzip() function reads various fields from a passed in source
buffer in order to skip a header before passing the actual compressed
data to the zlib inflate() function.  It does check whether the
passed in buffer is too small, but unfortunately it checks that only
after reading bytes from the src buffer, so it could read off the end
of the buffer.

You can see this with valgrind:

 $ printf "%b" '\x1f\x8b' > /tmp/image
 $ valgrind qemu-system-aarch64 -display none -M virt -cpu max -kernel /tmp/image
 [...]
 ==19224== Invalid read of size 1
 ==19224==    at 0x67302E: gunzip (loader.c:558)
 ==19224==    by 0x673907: load_image_gzipped_buffer (loader.c:788)
 ==19224==    by 0xA18032: load_aarch64_image (boot.c:932)
 ==19224==    by 0xA18489: arm_setup_direct_kernel_boot (boot.c:1063)
 ==19224==    by 0xA18D90: arm_load_kernel (boot.c:1317)
 ==19224==    by 0x9F3651: machvirt_init (virt.c:2114)
 ==19224==    by 0x794B7A: machine_run_board_init (machine.c:1272)
 ==19224==    by 0xD5CAD3: qemu_init_board (vl.c:2618)
 ==19224==    by 0xD5CCA6: qmp_x_exit_preconfig (vl.c:2692)
 ==19224==    by 0xD5F32E: qemu_init (vl.c:3713)
 ==19224==    by 0x5ADDB1: main (main.c:49)
 ==19224==  Address 0x3802a873 is 0 bytes after a block of size 3 alloc'd
 ==19224==    at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 ==19224==    by 0x61E7657: g_file_get_contents (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.5600.4)
 ==19224==    by 0x673895: load_image_gzipped_buffer (loader.c:771)
 ==19224==    by 0xA18032: load_aarch64_image (boot.c:932)
 ==19224==    by 0xA18489: arm_setup_direct_kernel_boot (boot.c:1063)
 ==19224==    by 0xA18D90: arm_load_kernel (boot.c:1317)
 ==19224==    by 0x9F3651: machvirt_init (virt.c:2114)
 ==19224==    by 0x794B7A: machine_run_board_init (machine.c:1272)
 ==19224==    by 0xD5CAD3: qemu_init_board (vl.c:2618)
 ==19224==    by 0xD5CCA6: qmp_x_exit_preconfig (vl.c:2692)
 ==19224==    by 0xD5F32E: qemu_init (vl.c:3713)
 ==19224==    by 0x5ADDB1: main (main.c:49)

Check that we have enough bytes of data to read the header bytes that
we read before we read them.

Fixes: Coverity 1458997
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210812141803.20913-1-peter.maydell@linaro.org
2021-08-26 17:02:00 +01:00
..
bus.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
clock-vmstate.c hw/core/clock-vmstate: define a vmstate entry for clock state 2020-04-30 15:35:40 +01:00
clock.c clock: Add ClockPreUpdate callback event type 2021-03-08 17:20:01 +00:00
cpu-common.c hw/core/cpu: removed cpu_dump_statistics function 2021-06-03 18:10:31 +10:00
cpu-sysemu.c cpu: Move CPUClass::get_paging_enabled to SysemuCPUOps 2021-05-26 15:33:59 -07:00
fw-path-provider.c Include qemu/module.h where needed, drop it from qemu-common.h 2019-06-12 13:18:33 +02:00
generic-loader.c hw: Do not include hw/sysbus.h if it is not necessary 2021-05-02 17:24:50 +02:00
guest-loader.c hw: Do not include hw/sysbus.h if it is not necessary 2021-05-02 17:24:50 +02:00
guest-loader.h hw/core: implement a guest-loader to support static hypervisor guests 2021-03-10 15:34:11 +00:00
hotplug.c call HotplugHandler->plug() as the last step in device realization 2018-10-19 13:44:12 +02:00
irq.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
Kconfig hw/core: Only build guest-loader if libfdt is available 2021-03-17 07:17:46 +00:00
loader-fit.c hw/mips/boston: Fix Lesser GPL version number 2020-11-03 16:51:13 +01:00
loader.c hw/core/loader: In gunzip(), check index is in range before use, not after 2021-08-26 17:02:00 +01:00
machine-hmp-cmds.c hmp: Print "reserve" property of memory backends with "info memdev" 2021-06-15 20:27:38 +02:00
machine-qmp-cmds.c qmp: Include "reserve" property of memory backends 2021-06-15 20:27:38 +02:00
machine.c hw/core: fix error checking in smp_parse 2021-08-13 14:43:42 +02:00
meson.build cpu: Split as cpu-common / cpu-sysemu 2021-05-26 15:33:59 -07:00
nmi.c Include qemu/module.h where needed, drop it from qemu-common.h 2019-06-12 13:18:33 +02:00
null-machine.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
numa.c numa: Parse initiator= attribute before cpus= attribute 2021-07-13 09:21:01 -04:00
or-irq.c hw/core/or-irq: Fix incorrect assert forbidding num-lines == MAX_OR_LINES 2020-01-30 16:02:01 +00:00
platform-bus.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
ptimer.c ptimer: Add new ptimer_set_period_from_clock() function 2021-01-29 15:54:42 +00:00
qdev-clock.c clock: Add ClockEvent parameter to callbacks 2021-03-08 17:20:01 +00:00
qdev-fw.c Include hw/qdev-properties.h less 2019-08-16 13:31:53 +02:00
qdev-prop-internal.h qdev: Make qdev_propinfo_get_uint16() static 2020-12-15 10:02:07 -05:00
qdev-properties-system.c qdev: Rename qdev_get_prop_ptr() to object_field_prop_ptr() 2020-12-18 15:20:18 -05:00
qdev-properties.c qdev: Avoid unnecessary DeviceState* variable at set_prop_arraylen() 2020-12-18 15:20:18 -05:00
qdev.c machine: introduce MachineInitPhase 2020-12-15 12:51:52 -05:00
register.c hw/core/register.c: Don't use '#' flag of printf format 2020-12-17 21:56:43 -08:00
reset.c qemu/queue.h: leave head structs anonymous unless necessary 2019-01-11 15:46:55 +01:00
resettable.c hw/core: deprecate old reset functions and introduce new ones 2020-01-30 16:02:04 +00:00
split-irq.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
stream.c hw/core/stream: Rename StreamSlave as StreamSink 2020-12-10 12:15:04 -05:00
sysbus.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
trace-events hw/core/clock: trace clock values in Hz instead of ns 2020-10-27 11:10:44 +00:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
uboot_image.h Support u-boot noload images for arm as used by, NetBSD/evbarm GENERIC kernel. 2019-01-07 15:46:20 +00:00
vm-change-state-handler.c sysemu: Split sysemu/runstate.h off sysemu/sysemu.h 2019-08-16 13:37:36 +02:00
vmstate-if.c vmstate: add qom interface to get id 2020-01-06 18:41:32 +04:00