From: Nelson Elhage <nelhage@mit.edu>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd
Date: Sat, 21 May 2011 15:28:06 -0000 [thread overview]
Message-ID: <20110521152806.22761.57475.malonedeb@wampee.canonical.com> (raw)
In-Reply-To: 20110521152806.22761.57475.malonedeb@wampee.canonical.com
Public bug reported:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-
zero, or possibly other badness if the guest performs operations on a
non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads = sectors
= 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
New
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
next parent reply other threads:[~2011-05-21 15:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-21 15:28 Nelson Elhage [this message]
2016-08-31 18:36 ` [Qemu-devel] [Bug 786208] Re: Missing checks for non-existent device in ide_exec_cmd John Snow
2020-11-12 9:00 ` Thomas Huth
2021-01-12 4:17 ` Launchpad Bug Tracker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110521152806.22761.57475.malonedeb@wampee.canonical.com \
--to=nelhage@mit.edu \
--cc=786208@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.