Message ID | 4692971516029191@web59g.yandex.ru |
---|---|
State | New |
Headers | show |
Series | m25p80: prevent buffer overflow during erasing | expand |
W dniu 15.01.2018 o 16:13, Aleksey Kuleshov pisze: > memset is not checked, so it's possible to go beyond the storage. > Add checks and truncate requested length. > > Signed-off-by: Aleksey Kuleshov <rndfax@yandex.ru> Acked-by: Marcin Krzemiński<mar.krzeminski@gmail.com> > --- > hw/block/m25p80.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c > index ea142160b3..18ec501912 100644 > --- a/hw/block/m25p80.c > +++ b/hw/block/m25p80.c > @@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd) > uint32_t len; > uint8_t capa_to_assert = 0; > > + assert(0 <= offset && offset < s->size); > + > switch (cmd) { > case ERASE_4K: > case ERASE4_4K: > @@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd) > qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n"); > return; > } > + > + if (offset + len > s->size) { > + qemu_log_mask(LOG_GUEST_ERROR, > + "M25P80: trying to erase beyond the flash size! " > + "Truncating the length...\n"); > + len = s->size - offset; > + } > + > memset(s->storage + offset, 0xff, len); > flash_sync_area(s, offset, len); > }
diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index ea142160b3..18ec501912 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd) uint32_t len; uint8_t capa_to_assert = 0; + assert(0 <= offset && offset < s->size); + switch (cmd) { case ERASE_4K: case ERASE4_4K: @@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd) qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n"); return; } + + if (offset + len > s->size) { + qemu_log_mask(LOG_GUEST_ERROR, + "M25P80: trying to erase beyond the flash size! " + "Truncating the length...\n"); + len = s->size - offset; + } + memset(s->storage + offset, 0xff, len); flash_sync_area(s, offset, len); }
memset is not checked, so it's possible to go beyond the storage. Add checks and truncate requested length. Signed-off-by: Aleksey Kuleshov <rndfax@yandex.ru> --- hw/block/m25p80.c | 10 ++++++++++ 1 file changed, 10 insertions(+)