From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Stefano Garzarella <sgarzare@redhat.com>
Subject: [Qemu-devel] [PULL 10/29] elf-ops.h: fix int overflow in load_elf()
Date: Mon, 16 Sep 2019 16:41:50 +0200 [thread overview]
Message-ID: <1568644929-9124-11-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1568644929-9124-1-git-send-email-pbonzini@redhat.com>
From: Stefano Garzarella <sgarzare@redhat.com>
This patch fixes a possible integer overflow when we calculate
the total size of ELF segments loaded.
Reported-by: Coverity (CID 1405299)
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20190910124828.39794-1-sgarzare@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/core/loader.c | 2 ++
include/hw/elf_ops.h | 5 +++++
include/hw/loader.h | 1 +
3 files changed, 8 insertions(+)
diff --git a/hw/core/loader.c b/hw/core/loader.c
index 32f7cc7..75eb56d 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -338,6 +338,8 @@ const char *load_elf_strerror(int error)
return "The image is from incompatible architecture";
case ELF_LOAD_WRONG_ENDIAN:
return "The image has incorrect endianness";
+ case ELF_LOAD_TOO_BIG:
+ return "The image segments are too big to load";
default:
return "Unknown error";
}
diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index 1496d7e..e07d276 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -485,6 +485,11 @@ static int glue(load_elf, SZ)(const char *name, int fd,
}
}
+ if (mem_size > INT_MAX - total_size) {
+ ret = ELF_LOAD_TOO_BIG;
+ goto fail;
+ }
+
/* address_offset is hack for kernel images that are
linked at the wrong physical address. */
if (translate_fn) {
diff --git a/include/hw/loader.h b/include/hw/loader.h
index 07fd928..48a96cd 100644
--- a/include/hw/loader.h
+++ b/include/hw/loader.h
@@ -89,6 +89,7 @@ int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz);
#define ELF_LOAD_NOT_ELF -2
#define ELF_LOAD_WRONG_ARCH -3
#define ELF_LOAD_WRONG_ENDIAN -4
+#define ELF_LOAD_TOO_BIG -5
const char *load_elf_strerror(int error);
/** load_elf_ram_sym:
--
1.8.3.1
next prev parent reply other threads:[~2019-09-16 15:14 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-16 14:41 [Qemu-devel] [PULL 00/29] Misc patches for 2019-09-16 Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 01/29] i386/kvm: support guest access CORE cstate Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 02/29] exec.c: replace hwaddr with uint64_t for better understanding Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 03/29] exec.c: get nodes_nb_alloc with one MAX calculation Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 04/29] exec.c: subpage->sub_section is already initialized to 0 Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 05/29] exec.c: correct the maximum skip value during compact Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 06/29] exec.c: add a check between constants to see whether we could skip Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 07/29] win32: fix README file in NSIS installer Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 08/29] test-char: fix AddressSanitizer failure Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 09/29] hw/i386: Move CONFIG_ACPI_PCI to CONFIG_PC Paolo Bonzini
2019-09-16 14:41 ` Paolo Bonzini [this message]
2019-09-16 14:41 ` [Qemu-devel] [PULL 11/29] memory: fetch pmem size in get_file_size() Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 12/29] memory: inline and optimize devend_memop Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 13/29] qemu-thread: Add qemu_cond_timedwait Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 14/29] cpus: Fix throttling during vm_stop Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 15/29] hw/i386/pc: Use e820_get_num_entries() to access e820_entries Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 16/29] hw/i386/pc: Extract e820 memory layout code Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 17/29] hw/i386/pc: Use address_space_memory in place Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 18/29] hw/i386/pc: Rename bochs_bios_init as more generic fw_cfg_arch_create Paolo Bonzini
2019-09-16 14:41 ` [Qemu-devel] [PULL 19/29] hw/i386/pc: Pass the boot_cpus value by argument Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 20/29] hw/i386/pc: Pass the apic_id_limit " Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 21/29] hw/i386/pc: Pass the CPUArchIdList array " Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 22/29] hw/i386/pc: Replace PCMachineState argument with MachineState in fw_cfg_arch_create Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 23/29] hw/i386/pc: Let pc_build_smbios() take a FWCfgState argument Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 24/29] hw/i386/pc: Let pc_build_smbios() take a generic MachineState argument Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 25/29] hw/i386/pc: Rename pc_build_smbios() as generic fw_cfg_build_smbios() Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 26/29] hw/i386/pc: Let pc_build_feature_control() take a FWCfgState argument Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 27/29] hw/i386/pc: Let pc_build_feature_control() take a MachineState argument Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 28/29] hw/i386/pc: Rename pc_build_feature_control() as generic fw_cfg_build_* Paolo Bonzini
2019-09-16 14:42 ` [Qemu-devel] [PULL 29/29] hw/i386/pc: Extract the x86 generic fw_cfg code Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1568644929-9124-11-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sgarzare@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.