falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/hw
History
Michael S. Tsirkin 5b7236f725 cadence_uart: bounds check write offset 
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 5eb0b194e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
 		2016-05-09 11:55:58 -05:00
..
9pfs virtio-9p: use accessor to get thread_pool 2016-03-15 12:20:55 -05:00
acpi Fix memory leak on error 2015-11-26 14:27:52 +02:00
alpha Use DEFINE_MACHINE() to register all machines 2015-09-19 16:40:15 +02:00
arm xlnx-ep108: Fix minimum RAM check 2015-11-24 14:12:15 +00:00
audio Remove macros IO_READ_PROTO and IO_WRITE_PROTO 2015-10-19 09:03:53 +02:00
block xen/blkif: Avoid double access to src->nr_segments 2016-03-15 12:20:17 -05:00
bt bt: avoid unintended sign extension 2015-12-04 09:39:55 +03:00
char cadence_uart: bounds check write offset 2016-05-09 11:55:58 -05:00
core migration: allow machine to enforce configuration section migration 2016-03-22 17:20:12 -05:00
cpu icc_bus: drop the unused files 2015-10-02 16:22:02 -03:00
cris cris: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
display vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 2016-05-08 20:56:43 -05:00
dma hw/dma/pxa2xx: Remove superfluous memset 2015-11-06 15:42:38 +03:00
gpio i.MX: Standardize i.MX GPIO debug 2015-10-27 15:59:46 +00:00
i2c i.MX: Standardize i.MX I2C debug 2015-10-27 15:59:46 +00:00
i386 i386: avoid null pointer dereference 2016-03-22 17:39:27 -05:00
ide ide: ahci: reset ncq object to unused on error 2016-03-22 17:40:20 -05:00
input hw/input/tsc210x: Remove superfluous memset 2015-11-06 15:42:38 +03:00
intc hw/arm_gic: Correctly restore nested irq priority 2015-11-19 12:09:52 +00:00
ipack
isa hw/isa/lpc_ich9: inject the SMI on the VCPU that is writing to APM_CNT 2015-10-22 14:39:09 +03:00
lm32 ui/opengl: Reduce build required libraries for opengl 2015-11-03 10:13:42 +01:00
m68k m68k: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
mem memory: Convert to new qapi union layout 2015-11-02 08:30:28 +01:00
microblaze mb: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
mips gt64xxx: fix decoding of ISD register 2015-12-04 09:39:55 +03:00
misc ivshmem: remove redundant assignment, fix crash with msi=off 2016-03-15 12:35:51 -05:00
moxie moxie: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
net net: ne2000: fix bounds check in ioport operations 2016-03-22 17:40:34 -05:00
nvram fw_cfg: unbreak migration compatibility for 2.4 and earlier machines 2016-03-17 17:33:59 -05:00
openrisc * First batch of MAINTAINERS updates 2015-09-25 21:52:30 +01:00
pci fix bad indentation in pcie_cap_slot_write_config() 2015-11-06 15:42:38 +03:00
pci-bridge
pci-host i440fx: print an error message if user tries to enable iommu 2015-11-17 15:41:13 +02:00
pcmcia hw: do not pass NULL to memory_region_init from instance_init 2015-10-09 15:25:56 +02:00
ppc spapr: skip configuration section during migration of older machines 2016-03-17 17:17:33 -05:00
s390x s390x/css: fix control flags during csch 2016-03-17 16:42:26 -05:00
scsi scsi: initialise info object with appropriate size 2016-03-15 12:21:11 -05:00
sd sd: Mark brittle abuse of blk_attach_dev() FIXME 2015-12-07 17:13:10 +00:00
sh4 Use DEFINE_MACHINE() to register all machines 2015-09-19 16:40:15 +02:00
smbios smbios: add smbios 3.0 support 2015-09-07 10:39:28 +01:00
sparc sparc: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:44 +02:00
sparc64 sparc: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:44 +02:00
ssi arm: Use g_new() & friends where that makes obvious sense 2015-09-07 10:39:27 +01:00
timer hw/timer/hpet.c: Avoid signed integer overflow which results in bugs on OSX 2015-11-09 15:48:21 +00:00
tpm tpm: avoid clang shifting negative signed warning 2015-11-17 18:35:56 +08:00
tricore tricore: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:44 +02:00
unicore32 Use DEFINE_MACHINE() to register all machines 2015-09-19 16:40:15 +02:00
usb Revert "ehci: make idt processing more robust" 2016-05-08 22:37:18 -05:00
vfio vfio: Use g_new() & friends where that makes obvious sense 2015-11-10 12:11:08 -07:00
virtio vhost-user: don't merge regions with different fds 2016-03-17 17:36:07 -05:00
watchdog i6300esb: remove muldiv64() 2015-09-25 14:52:17 +02:00
xen xen: fix invalid assertion 2015-11-06 15:42:38 +03:00
xenpv xen: fix usage of xc_domain_create in domain builder 2015-11-13 17:38:06 +00:00
xtensa target-xtensa: xtfpga: attach FLASH to system IO 2015-10-21 21:28:33 +03:00
Makefile.objs