On 15.06.2018 08:58, Thomas Huth wrote:
> The rom_ptr() function allows direct access to the ROM blobs that we
> load during startup. However, there are currently no checks for the
> size of the accesses, so it's currently possible to crash QEMU for
> example with:
>
> $ echo "Insane in the mainframe" > /tmp/test.txt
> $ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -append xyz
> Segmentation fault (core dumped)
> $ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -initrd /tmp/test.txt
> Segmentation fault (core dumped)
>
> We need a possibility to check the size of the ROM area that we want
> to access, thus let's add a size parameter to the rom_ptr() function
> to avoid these problems.
[...]
> diff --git a/hw/sparc/sun4m.c b/hw/sparc/sun4m.c
> index 0ee779f..2375cb2 100644
> --- a/hw/sparc/sun4m.c
> +++ b/hw/sparc/sun4m.c
> @@ -272,7 +272,7 @@ static unsigned long sun4m_load_kernel(const char
> *kernel_filename,
> }
> if (initrd_size > 0) {
> for (i = 0; i < 64 * TARGET_PAGE_SIZE; i += TARGET_PAGE_SIZE) {
> - ptr = rom_ptr(KERNEL_LOAD_ADDR + i);
> + ptr = rom_ptr(KERNEL_LOAD_ADDR + i, 24);
> if (ldl_p(ptr) == 0x48647253) { // HdrS
Darn, that should check for ptr != NULL ...
> stl_p(ptr + 16, INITRD_LOAD_ADDR);
> stl_p(ptr + 20, initrd_size);
> diff --git a/hw/sparc64/sun4u.c b/hw/sparc64/sun4u.c
> index 1bede85..8b09090 100644
> --- a/hw/sparc64/sun4u.c
> +++ b/hw/sparc64/sun4u.c
> @@ -186,7 +186,7 @@ static uint64_t sun4u_load_kernel(const char
> *kernel_filename,
> }
> if (*initrd_size > 0) {
> for (i = 0; i < 64 * TARGET_PAGE_SIZE; i += TARGET_PAGE_SIZE) {
> - ptr = rom_ptr(*kernel_addr + i);
> + ptr = rom_ptr(*kernel_addr + i, 32);
> if (ldl_p(ptr + 8) == 0x48647253) { /* HdrS */
... dito ...
I'll send a v2.
Thomas
