Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.
Cc: Cam Macdonell <c...@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krah...@suse.de>
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
---
hw/misc/ivshmem.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 78363ce..25c22b7 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -383,6 +383,9 @@ static void close_guest_eventfds(IVShmemState *s, int posn)
if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
return;
}
+ if (posn < 0 || posn > s->nb_peers) {
+ return;
+ }
guest_curr_max = s->peers[posn].nb_eventfds;
@@ -433,6 +436,12 @@ static void ivshmem_read(void *opaque, const uint8_t *
buf, int size)
}
memcpy(&incoming_posn, buf, sizeof(long));
+
+ if (incoming_posn < -1) {
+ IVSHMEM_DPRINTF("invalid incoming_posn %ld\n", incoming_posn);
+ return;
+ }
+
/* pick off s->server_chr->msgfd and store it, posn should accompany msg */
tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
IVSHMEM_DPRINTF("posn is %ld, fd is %d\n", incoming_posn, tmp_fd);
--
1.9.0
