| Message ID | 1322555735-32163-3-git-send-email-levinsasha928@gmail.com |
|---|---|
| State | Rejected |
| Headers | show |
On Tue, 29 Nov 2011, Sasha Levin wrote: > A guest could overwrite host memory by writing to cmos index bigger than 128. > > This patch adds a boundry check to limit it to that size. > > Cc: Alessandro Zummo <a.zummo@towertech.it> > Cc: rtc-linux@googlegroups.com > Signed-off-by: Sasha Levin <levinsasha928@gmail.com> > --- > tools/kvm/hw/rtc.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c > index fad140f..1471521 100644 > --- a/tools/kvm/hw/rtc.c > +++ b/tools/kvm/hw/rtc.c > @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v > ioport__write8(data, bin2bcd(tm->tm_year)); > break; > default: > + if (rtc.cmos_idx >= 128) > + break; > ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); > break; > } > @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port, > /* Read-only */ > break; > default: > + if (rtc.cmos_idx >= 128) > + break; > rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); > break; > } We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can never be over 127. Pekka
On Tue, 2011-11-29 at 15:07 +0200, Pekka Enberg wrote: > On Tue, 29 Nov 2011, Sasha Levin wrote: > > A guest could overwrite host memory by writing to cmos index bigger than 128. > > > > This patch adds a boundry check to limit it to that size. > > > > Cc: Alessandro Zummo <a.zummo@towertech.it> > > Cc: rtc-linux@googlegroups.com > > Signed-off-by: Sasha Levin <levinsasha928@gmail.com> > > --- > > tools/kvm/hw/rtc.c | 4 ++++ > > 1 files changed, 4 insertions(+), 0 deletions(-) > > > > diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c > > index fad140f..1471521 100644 > > --- a/tools/kvm/hw/rtc.c > > +++ b/tools/kvm/hw/rtc.c > > @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v > > ioport__write8(data, bin2bcd(tm->tm_year)); > > break; > > default: > > + if (rtc.cmos_idx >= 128) > > + break; > > ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); > > break; > > } > > @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port, > > /* Read-only */ > > break; > > default: > > + if (rtc.cmos_idx >= 128) > > + break; > > rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); > > break; > > } > > We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can > never be over 127. Right. Please ignore this patch :)
diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c index fad140f..1471521 100644 --- a/tools/kvm/hw/rtc.c +++ b/tools/kvm/hw/rtc.c @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v ioport__write8(data, bin2bcd(tm->tm_year)); break; default: + if (rtc.cmos_idx >= 128) + break; ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); break; } @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port, /* Read-only */ break; default: + if (rtc.cmos_idx >= 128) + break; rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); break; }
A guest could overwrite host memory by writing to cmos index bigger than 128. This patch adds a boundry check to limit it to that size. Cc: Alessandro Zummo <a.zummo@towertech.it> Cc: rtc-linux@googlegroups.com Signed-off-by: Sasha Levin <levinsasha928@gmail.com> --- tools/kvm/hw/rtc.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-)