Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Philippe Mathieu-Daudé
On 9/26/19 7:58 AM, Thomas Huth wrote: > On 25/09/2019 22.51, Philippe Mathieu-Daudé wrote: > [...] >> Let's say I have write access to a LAN TFTP server used by some PXE >> bootloader where I can store my crafted nasty kernel, then I get this score: >> >> https://nvd.nist.gov/vuln-metrics/cvss/v3-

Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Thomas Huth
On 25/09/2019 22.51, Philippe Mathieu-Daudé wrote: [...] > Let's say I have write access to a LAN TFTP server used by some PXE > bootloader where I can store my crafted nasty kernel, then I get this score: > > https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/

Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Thomas Huth
On 25/09/2019 22.51, Philippe Mathieu-Daudé wrote: > Hi Thomas, > > On 9/25/19 3:03 PM, Thomas Huth wrote: >> Both, "rom->addr" and "addr" are derived from the binary image >> that can be loaded with the "-kernel" paramer. The code in >> rom_copy() then calculates: >> >> d = dest + (rom->addr

Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Philippe Mathieu-Daudé
Hi Thomas, On 9/25/19 3:03 PM, Thomas Huth wrote: > Both, "rom->addr" and "addr" are derived from the binary image > that can be loaded with the "-kernel" paramer. The code in > rom_copy() then calculates: > > d = dest + (rom->addr - addr); > > and uses "d" as destination in a memcpy() some

Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Paolo Bonzini
On 25/09/19 15:22, Michael S. Tsirkin wrote: >> Both, "rom->addr" and "addr" are derived from the binary image >> that can be loaded with the "-kernel" paramer. The code in >> rom_copy() then calculates: >> >> d = dest + (rom->addr - addr); >> >> and uses "d" as destination in a memcpy() some

Re: [PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Michael S. Tsirkin
On Wed, Sep 25, 2019 at 03:03:31PM +0200, Thomas Huth wrote: > Both, "rom->addr" and "addr" are derived from the binary image > that can be loaded with the "-kernel" paramer. The code in > rom_copy() then calculates: > > d = dest + (rom->addr - addr); > > and uses "d" as destination in a memc

[PATCH] hw/core/loader: Fix possible crash in rom_copy()

2019-09-25 Thread Thomas Huth
Both, "rom->addr" and "addr" are derived from the binary image that can be loaded with the "-kernel" paramer. The code in rom_copy() then calculates: d = dest + (rom->addr - addr); and uses "d" as destination in a memcpy() some lines later. Now with bad kernel images, it is possible that rom-