Am 14.04.2014 16:26, schrieb Peter Maydell:
> On 31 March 2014 08:08, Stefan Hajnoczi <stefa...@redhat.com> wrote:
>> Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
>> server on the host sends invalid values.
>>
>> Cc: Cam Macdonell <c...@cs.ualberta.ca>
>> Reported-by: Sebastian Krahmer <krah...@suse.de>
>> Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
>> ---
>> hw/misc/ivshmem.c | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
>> index 78363ce..25c22b7 100644
>> --- a/hw/misc/ivshmem.c
>> +++ b/hw/misc/ivshmem.c
>> @@ -383,6 +383,9 @@ static void close_guest_eventfds(IVShmemState *s, int
>> posn)
>> if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
>> return;
>> }
>> + if (posn < 0 || posn > s->nb_peers) {
>> + return;
>> + }
>>
>> guest_curr_max = s->peers[posn].nb_eventfds;
>
> Shouldn't the upper bound check be checking ">=", not ">" ?
Indeed, looks like it. We're allocating s->nb_peers * sizeof(Peer) in
increase_dynamic_storage() just below.
Regards,
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
