From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:37425) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QNoDG-0001df-Qd for qemu-devel@nongnu.org; Sat, 21 May 2011 11:35:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QNoDF-00083z-H7 for qemu-devel@nongnu.org; Sat, 21 May 2011 11:35:34 -0400 Received: from adelie.canonical.com ([91.189.90.139]:56874) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QNoDF-00083v-8Q for qemu-devel@nongnu.org; Sat, 21 May 2011 11:35:33 -0400 Received: from loganberry.canonical.com ([91.189.90.37]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QNoDD-0002yl-Vj for ; Sat, 21 May 2011 15:35:31 +0000 Received: from loganberry.canonical.com (localhost [127.0.0.1]) by loganberry.canonical.com (Postfix) with ESMTP id EDB332E808B for ; Sat, 21 May 2011 15:35:31 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Sat, 21 May 2011 15:28:06 -0000 From: Nelson Elhage Sender: bounces@canonical.com References: <20110521152806.22761.57475.malonedeb@wampee.canonical.com> Message-Id: <20110521152806.22761.57475.malonedeb@wampee.canonical.com> Errors-To: bounces@canonical.com Subject: [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd Reply-To: Bug 786208 <786208@bugs.launchpad.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Public bug reported: Several calls in the ide_exec_cmd handler are missing checks for (!s->bs) or similar, resulting in NULL pointer dereferences, divide-by- zero, or possibly other badness if the guest performs operations on a non-existent IDE master. For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s, s->nb_sectors - 1);', which does 'cyl =3D sector_num / (s->heads * s->sectors);', which will fail with a divide-by-zero if heads =3D sectors =3D 0. And WIN_MULTREAD also does not check for s->bs, but does a 'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num, s->io_buffer, n);' on a NULL s->bs, leading to a segfault. I do not *believe* that a malicious guest can do anything more than cause a crash with these bugs. ** Affects: qemu Importance: Undecided Status: New -- = You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/786208 Title: Missing checks for non-existent device in ide_exec_cmd Status in QEMU: New Bug description: Several calls in the ide_exec_cmd handler are missing checks for (!s->bs) or similar, resulting in NULL pointer dereferences, divide- by-zero, or possibly other badness if the guest performs operations on a non-existent IDE master. For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s, s->nb_sectors - 1);', which does 'cyl =3D sector_num / (s->heads * s->sectors);', which will fail with a divide-by-zero if heads =3D sectors =3D 0. And WIN_MULTREAD also does not check for s->bs, but does a 'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num, s->io_buffer, n);' on a NULL s->bs, leading to a segfault. I do not *believe* that a malicious guest can do anything more than cause a crash with these bugs.