On 25/09/2019 22.51, Philippe Mathieu-Daudé wrote: > Hi Thomas, > > On 9/25/19 3:03 PM, Thomas Huth wrote: >> Both, "rom->addr" and "addr" are derived from the binary image >> that can be loaded with the "-kernel" paramer. The code in >> rom_copy() then calculates: >> >> d = dest + (rom->addr - addr); >> >> and uses "d" as destination in a memcpy() some lines later. Now with >> bad kernel images, it is possible that rom->addr is smaller than addr, >> thus "rom->addr - addr" gets negative and the memcpy() then tries to >> copy contents from the image to a bad memory location. In the best case, >> this just crashes QEMU, in the worst case, this could maybe be used to >> inject code from the kernel image into the QEMU binary, so we better fix >> it with an additional sanity check here. >> >> Cc: qemu-sta...@nongnu.org >> Reported-by: Guangming Liu >> Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 > > "This page does not exist, or you may not have permission to see it." > > This seems security related. Shouldn't we open a CVE for this? > https://wiki.qemu.org/SecurityProcess#CVE_allocation
I wrote to the security team before writing the patch, so I assume a CVE number is already on the way. I'll reply to this thread when it is available. Thomas
