factory-packages-mirror

Clone
Source Code
GIT

Blame packages/q/qemu/hw-acpi-erst.c-Fix-memory-handling-issue.patch

master
  1.   399b1f16e84e1bf16d26a2343cd812cb7faafae4
  2.   packages
  3.   q
  4.   qemu
  5.   hw-acpi-erst.c-Fix-memory-handling-issue.patch
Blob History Raw
Bernhard M. Wiedemann 399b1f 
From: "Christian A. Ehrhardt" <lk@c--e.de>
Bernhard M. Wiedemann 399b1f 
Date: Mon, 24 Oct 2022 17:42:33 +0200
Bernhard M. Wiedemann 399b1f 
Subject: hw/acpi/erst.c: Fix memory handling issues
Bernhard M. Wiedemann 399b1f
Bernhard M. Wiedemann 399b1f 
- Fix memset argument order: The second argument is
Bernhard M. Wiedemann 399b1f 
  the value, the length goes last.
Bernhard M. Wiedemann 399b1f 
- Fix an integer overflow reported by Alexander Bulekov.
Bernhard M. Wiedemann 399b1f
Bernhard M. Wiedemann 399b1f 
Both issues allow the guest to overrun the host buffer
Bernhard M. Wiedemann 399b1f 
allocated for the ERST memory device.
Bernhard M. Wiedemann 399b1f
Bernhard M. Wiedemann 399b1f 
Cc: Eric DeVolder
Bernhard M. Wiedemann 399b1f 
Cc: Alexander Bulekov <alxndr@bu.edu>
Bernhard M. Wiedemann 399b1f 
Cc: qemu-stable@nongnu.org
Bernhard M. Wiedemann 399b1f 
Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
Bernhard M. Wiedemann 399b1f 
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Bernhard M. Wiedemann 399b1f 
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Bernhard M. Wiedemann 399b1f 
Message-Id: <20221024154233.1043347-1-lk@c--e.de>
Bernhard M. Wiedemann 399b1f 
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
Bernhard M. Wiedemann 399b1f 
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Bernhard M. Wiedemann 399b1f 
Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
Bernhard M. Wiedemann 399b1f 
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Bernhard M. Wiedemann 399b1f 
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Bernhard M. Wiedemann 399b1f 
(cherry picked from commit defb70980f6bed36100b74e84220f1764c0dd544)
Bernhard M. Wiedemann 399b1f 
Resolves: bsc#1205847
Bernhard M. Wiedemann 399b1f 
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
Bernhard M. Wiedemann 399b1f 
---
Bernhard M. Wiedemann 399b1f 
 hw/acpi/erst.c | 6 +++---
Bernhard M. Wiedemann 399b1f 
 1 file changed, 3 insertions(+), 3 deletions(-)
Bernhard M. Wiedemann 399b1f
Bernhard M. Wiedemann 399b1f 
diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
Bernhard M. Wiedemann 399b1f 
index df856b2669a6c198d0019b846e03..aefcc03ad6b68f2b3de7dfebf609 100644
Bernhard M. Wiedemann 399b1f 
--- a/hw/acpi/erst.c
Bernhard M. Wiedemann 399b1f 
+++ b/hw/acpi/erst.c
Bernhard M. Wiedemann 399b1f 
@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
Bernhard M. Wiedemann 399b1f 
         if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
Bernhard M. Wiedemann 399b1f 
             rc = STATUS_FAILED;
Bernhard M. Wiedemann 399b1f 
         }
Bernhard M. Wiedemann 399b1f 
-        if ((s->record_offset + record_length) > exchange_length) {
Bernhard M. Wiedemann 399b1f 
+        if (record_length > exchange_length - s->record_offset) {
Bernhard M. Wiedemann 399b1f 
             rc = STATUS_FAILED;
Bernhard M. Wiedemann 399b1f 
         }
Bernhard M. Wiedemann 399b1f 
         /* If all is ok, copy the record to the exchange buffer */
Bernhard M. Wiedemann 399b1f 
@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
Bernhard M. Wiedemann 399b1f 
     if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
Bernhard M. Wiedemann 399b1f 
         return STATUS_FAILED;
Bernhard M. Wiedemann 399b1f 
     }
Bernhard M. Wiedemann 399b1f 
-    if ((s->record_offset + record_length) > exchange_length) {
Bernhard M. Wiedemann 399b1f 
+    if (record_length > exchange_length - s->record_offset) {
Bernhard M. Wiedemann 399b1f 
         return STATUS_FAILED;
Bernhard M. Wiedemann 399b1f 
     }
Bernhard M. Wiedemann 399b1f
Bernhard M. Wiedemann 399b1f 
@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
Bernhard M. Wiedemann 399b1f 
     if (nvram) {
Bernhard M. Wiedemann 399b1f 
         /* Write the record into the slot */
Bernhard M. Wiedemann 399b1f 
         memcpy(nvram, exchange, record_length);
Bernhard M. Wiedemann 399b1f 
-        memset(nvram + record_length, exchange_length - record_length, 0xFF);
Bernhard M. Wiedemann 399b1f 
+        memset(nvram + record_length, 0xFF, exchange_length - record_length);
Bernhard M. Wiedemann 399b1f 
         /* If a new record, increment the record_count */
Bernhard M. Wiedemann 399b1f 
         if (!record_found) {
Bernhard M. Wiedemann 399b1f 
             uint32_t record_count;
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.