Multiple places in QEMU map guest memory, then access it directly. Unfortunately since we are using C, there's always a chance that we'll miss a bounds check when we do this. This has a potential to corrupt QEMU memory.
As a mitigation strategy against such exploits, allocate a page in HVA space on top of each RAM chunk with PROT_NONE protection. Buffer overflows will now cause QEMU to crash. This is a repost, combining separate patches into a single series. No changes to patches themselves. Michael S. Tsirkin (4): oslib: rework anonimous RAM allocation oslib: allocate PROT_NONE pages on top of RAM exec: allocate PROT_NONE pages on top of RAM exec: factor out duplicate mmap code include/qemu/mmap-alloc.h | 10 +++++++++ exec.c | 19 ++++++++++++----- util/mmap-alloc.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++ util/oslib-posix.c | 20 ++++-------------- util/Makefile.objs | 2 +- 5 files changed, 81 insertions(+), 22 deletions(-) create mode 100644 include/qemu/mmap-alloc.h create mode 100644 util/mmap-alloc.c -- MST
