diff mbox

pc: check for underflow in load_linux

Message ID 1442225242-27908-1-git-send-email-pbonzini@redhat.com
State New
Headers show

Commit Message

Paolo Bonzini Sept. 14, 2015, 10:07 a.m. UTC 
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate
a huge amount of memory.  Avoid that.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/i386/pc.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Michael Tokarev Sept. 16, 2015, 11:02 a.m. UTC | #1 
14.09.2015 13:07, Paolo Bonzini wrote:
> If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate
> a huge amount of memory.  Avoid that.

Applied to -trivial, thanks!

/mjt
diff mbox

Patch

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 56aecce..6a312bd 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -986,6 +986,10 @@  static void load_linux(PCMachineState *pcms,
         setup_size = 4;
     }
     setup_size = (setup_size+1)*512;
+    if (setup_size > kernel_size) {
+        fprintf(stderr, "qemu: invalid kernel header\n");
+        exit(1);
+    }
     kernel_size -= setup_size;
 
     setup  = g_malloc(setup_size);