Multiple places in QEMU map guest memory, then access it directly. Unfortunately since we are using C, there's always a chance that we'll miss a bounds check when we do this. This has a potential to corrupt QEMU memory.
As a mitigation strategy against such exploits, allocate a page in HVA space on top of each RAM chunk with PROT_NONE protection. Buffer overflows will now cause QEMU to crash. Lightly tested. Michael S. Tsirkin (3): oslib: rework anonimous RAM allocation oslib: allocate PROT_NONE pages on top of RAM exec: allocate PROT_NONE pages on top of RAM exec.c | 42 +++++++++++++++++++++++++++++++++++++++--- util/oslib-posix.c | 20 ++++++++++++++------ 2 files changed, 53 insertions(+), 9 deletions(-) -- MST
