On 25/09/19 15:22, Michael S. Tsirkin wrote: >> Both, "rom->addr" and "addr" are derived from the binary image >> that can be loaded with the "-kernel" paramer. The code in >> rom_copy() then calculates: >> >> d = dest + (rom->addr - addr); >> >> and uses "d" as destination in a memcpy() some lines later. Now with >> bad kernel images, it is possible that rom->addr is smaller than addr, >> thus "rom->addr - addr" gets negative and the memcpy() then tries to >> copy contents from the image to a bad memory location. In the best case, >> this just crashes QEMU, in the worst case, this could maybe be used to >> inject code from the kernel image into the QEMU binary, so we better fix >> it with an additional sanity check here. >> >> Cc: qemu-sta...@nongnu.org >> Reported-by: Guangming Liu >> Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 >> Signed-off-by: Thomas Huth <th...@redhat.com> > > Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Queued, thanks. Paolo