From patchwork Tue Nov 29 08:35:35 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [3/3] kvm tools: Add boundry check for rtc cmos index
Date: Mon, 28 Nov 2011 22:35:35 -0000
From: Sasha Levin <levinsasha928@gmail.com>
X-Patchwork-Id: 128235
Message-Id: <1322555735-32163-3-git-send-email-levinsasha928@gmail.com>
To: penberg@kernel.org
Cc: kvm@vger.kernel.org, mingo@elte.hu, asias.hejun@gmail.com,
 gorcunov@gmail.com, Sasha Levin <levinsasha928@gmail.com>,
 Alessandro Zummo <a.zummo@towertech.it>, rtc-linux@googlegroups.com

A guest could overwrite host memory by writing to cmos index bigger than 128.

This patch adds a boundry check to limit it to that size.

Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: rtc-linux@googlegroups.com
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>

---
tools/kvm/hw/rtc.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c
index fad140f..1471521 100644
--- a/tools/kvm/hw/rtc.c
+++ b/tools/kvm/hw/rtc.c
@@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v
 		ioport__write8(data, bin2bcd(tm->tm_year));
 		break;
 	default:
+		if (rtc.cmos_idx >= 128)
+			break;
 		ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]);
 		break;
 	}
@@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port,
 		/* Read-only */
 		break;
 	default:
+		if (rtc.cmos_idx >= 128)
+			break;
 		rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data);
 		break;
 	}