falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/hw/char
History
Michael S. Tsirkin 5b7236f725 cadence_uart: bounds check write offset 
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 5eb0b194e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
 		2016-05-09 11:55:58 -05:00
..
Makefile.objs stm32f2xx_USART: Add the stm32f2xx USART Controller 2015-03-11 13:21:05 +00:00
cadence_uart.c cadence_uart: bounds check write offset 2016-05-09 11:55:58 -05:00
debugcon.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
digic-uart.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00
escc.c input: Convert to new qapi union layout 2015-11-02 08:30:28 +01:00
etraxfs_ser.c hw: char: Remove unnecessary variable 2015-10-08 19:46:47 +03:00
exynos4210_uart.c maint: avoid useless "if (foo) free(foo)" pattern 2015-09-11 10:21:38 +03:00
grlib_apbuart.c grlib_apbuart: QOM cast cleanup 2013-07-29 21:06:27 +02:00
imx_serial.c i.MX: Standardize i.MX serial debug. 2015-10-27 13:16:21 +00:00
ipoctal232.c savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
lm32_juart.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00
lm32_uart.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00
mcf_uart.c hw: fix mask for ColdFire UART command register 2015-08-14 23:40:32 +02:00
milkymist-uart.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00
omap_uart.c arm: Use g_new() & friends where that makes obvious sense 2015-09-07 10:39:27 +01:00
parallel.c Move parallel_hds_isa_init to hw/isa/isa-bus.c 2015-06-05 17:09:58 +02:00
pl011.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00
sclpconsole-lm.c sclp: sort into categories 2015-04-30 13:21:41 +02:00
sclpconsole.c sclp: sort into categories 2015-04-30 13:21:41 +02:00
serial-isa.c serial: serial_hds_isa_init() shouldn't fail 2015-02-24 00:19:06 +01:00
serial-pci.c Include qapi/qmp/qerror.h exactly where needed 2015-06-22 18:20:41 +02:00
serial.c migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
sh_serial.c sh4: Fix serial line access for Linux kernels later than 3.2 2013-10-02 22:55:28 +04:00
spapr_vty.c spapr-vty: Use TYPE_ definition instead of hardcoding 2015-07-07 17:44:53 +02:00
stm32f2xx_usart.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00
virtio-console.c virtio-console: notify chardev when writable 2015-05-29 09:56:01 +02:00
virtio-serial-bus.c virtio-serial: convert to virtio_map 2015-10-29 11:05:24 +02:00
xen_console.c sysemu: avoid proliferation of include/ subdirectories 2013-04-15 18:19:25 +02:00
xilinx_uartlite.c sysbus: Make devices picking up backends unavailable with -device 2015-04-02 15:30:44 +02:00