hw/core/loader: Fix possible crash in rom_copy()

Both, "rom->addr" and "addr" are derived from the binary image that can be loaded with the "-kernel" paramer. The code in rom_copy() then calculates: d = dest + (rom->addr - addr); and uses "d" as destination in a memcpy() some lines later. Now with bad kernel images, it is possible that rom->addr is smaller than addr, thus "rom->addr - addr" gets negative and the memcpy() then tries to copy contents from the image to a bad memory location. This could maybe be used to inject code from a kernel image into the QEMU binary, so we better fix it with an additional sanity check here. Cc: qemu-stable@nongnu.org Reported-by: Guangming Liu Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 Message-Id: <20190925130331.27825-1-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2025-12-11 16:00:50 -07:00 · 2019-09-25 14:16:43 +02:00 · 2019-09-25 14:16:43 +02:00 · e423455c4f
commit e423455c4f
parent cd4fc14207
1 changed files with 1 additions and 1 deletions
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
        if (rom->addr + rom->romsize < addr) {
            continue;
        }
-        if (rom->addr > end) {
+        if (rom->addr > end || rom->addr < addr) {
            break;
        }