On 31/05/2024 16:41, Paolo Bonzini wrote:
> On Fri, May 31, 2024 at 5:20 PM Liam Merwick <liam.merw...@oracle.com> wrote:
>>> + metadata = (OvmfSevMetadata *)(flash_ptr + flash_size - data->offset);
>>> + if (memcmp(metadata->signature, "ASEV", 4) != 0) {
>>> + return;
>>> + }
>>> +
>>> + ovmf_sev_metadata_table = g_malloc(metadata->len);
>>
>> There should be a bounds check on metadata->len before using it.
>
> You mean like:
>
> if (metadata->len <= flash_size - data->offset) {
> ovmf_sev_metadata_table = g_memdup2(metadata, metadata->len);
> }
>
Yeah, and maybe before that
if (metadata->len < sizeof(OvmfSevMetadata))
return
But the main thing would be checking the upper bound to avoid
allocating a huge amount of memory
Regards,
Liam
