On 18 April 2016 at 21:50, Alistair Francis <alistair.fran...@xilinx.com> wrote: > On Mon, Apr 18, 2016 at 3:10 AM, Peter Maydell <peter.mayd...@linaro.org> > wrote: >> CCing the maintainers for this device... >> >> On 18 April 2016 at 11:07, Michael S. Tsirkin <m...@redhat.com> wrote: >>> cadence_uart_init() initializes an I/O memory region of size 0x1000 >>> bytes. However in uart_write(), the 'offset' parameter (offset within >>> region) is divided by 4 and then used to index the array 'r' of size >>> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' >>> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory >>> write where the offset and the value are controlled by guest. >>> >>> This will corrupt QEMU memory, in most situations this causes the vm to >>> crash. >>> >>> Fix by checking the offset against the array size. >>> >>> Reported-by: 李强 <liqiang...@360.cn> >>> Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > > Good catch. > > Reviewed-by: Alistair Francis <alistair.fran...@xilinx.com>
Applied to master, thanks (so this will be in rc3). I added a Cc: qemu-sta...@nongnu.org tag too. -- PMM
