* [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd
@ 2011-05-21 15:28 Nelson Elhage
2016-08-31 18:36 ` [Qemu-devel] [Bug 786208] " John Snow
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Nelson Elhage @ 2011-05-21 15:28 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-
zero, or possibly other badness if the guest performs operations on a
non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads = sectors
= 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
New
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
^ permalink raw reply [flat|nested] 4+ messages in thread* [Qemu-devel] [Bug 786208] Re: Missing checks for non-existent device in ide_exec_cmd
2011-05-21 15:28 [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd Nelson Elhage
@ 2016-08-31 18:36 ` John Snow
2020-11-12 9:00 ` Thomas Huth
2021-01-12 4:17 ` Launchpad Bug Tracker
2 siblings, 0 replies; 4+ messages in thread
From: John Snow @ 2016-08-31 18:36 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Assignee: (unassigned) => John Snow (jnsnow)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
New
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786208/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug 786208] Re: Missing checks for non-existent device in ide_exec_cmd
2011-05-21 15:28 [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd Nelson Elhage
2016-08-31 18:36 ` [Qemu-devel] [Bug 786208] " John Snow
@ 2020-11-12 9:00 ` Thomas Huth
2021-01-12 4:17 ` Launchpad Bug Tracker
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2020-11-12 9:00 UTC (permalink / raw)
To: qemu-devel
The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience.
** Changed in: qemu
Assignee: John Snow (jnsnow) => (unassigned)
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
Incomplete
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786208/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug 786208] Re: Missing checks for non-existent device in ide_exec_cmd
2011-05-21 15:28 [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd Nelson Elhage
2016-08-31 18:36 ` [Qemu-devel] [Bug 786208] " John Snow
2020-11-12 9:00 ` Thomas Huth
@ 2021-01-12 4:17 ` Launchpad Bug Tracker
2 siblings, 0 replies; 4+ messages in thread
From: Launchpad Bug Tracker @ 2021-01-12 4:17 UTC (permalink / raw)
To: qemu-devel
[Expired for QEMU because there has been no activity for 60 days.]
** Changed in: qemu
Status: Incomplete => Expired
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786208
Title:
Missing checks for non-existent device in ide_exec_cmd
Status in QEMU:
Expired
Bug description:
Several calls in the ide_exec_cmd handler are missing checks for
(!s->bs) or similar, resulting in NULL pointer dereferences, divide-
by-zero, or possibly other badness if the guest performs operations on
a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s,
s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads *
s->sectors);', which will fail with a divide-by-zero if heads =
sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a
'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num,
s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than
cause a crash with these bugs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786208/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-12 4:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-21 15:28 [Qemu-devel] [Bug 786208] [NEW] Missing checks for non-existent device in ide_exec_cmd Nelson Elhage
2016-08-31 18:36 ` [Qemu-devel] [Bug 786208] " John Snow
2020-11-12 9:00 ` Thomas Huth
2021-01-12 4:17 ` Launchpad Bug Tracker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.