Google Git
Sign in
qemu / qemu / a3995360aeec62902f045142840c1fd334e9725f
commita3995360aeec62902f045142840c1fd334e9725f[log] [tgz]
authorJonathan Cameron <Jonathan.Cameron@huawei.com>Fri Nov 01 13:39:11 2024 +0000
committerMichael S. Tsirkin <mst@redhat.com>Mon Nov 04 16:03:25 2024 -0500
tree963caea53cba84d6861512d8dbbf25b2b6636e36
parentf4a12ba66bebfe200d7f56015c1cd5af321ab152 [diff]
hw/cxl: Check enough data in cmd_firmware_update_transfer()

Buggy guest can write a message that advertises more data that
is provided. As QEMU internally duplicates the reported message
size, this may result in an out of bounds access.
Add sanity checks on the size to avoid this.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-5-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
1 file changed
tree: 963caea53cba84d6861512d8dbbf25b2b6636e36
  1. .github/
  2. .gitlab/
  3. .gitlab-ci.d/
  4. accel/
  5. audio/
  6. authz/
  7. backends/
  8. block/
  9. bsd-user/
  10. chardev/
  11. common-user/
  12. configs/
  13. contrib/
  14. crypto/
  15. disas/
  16. docs/
  17. dump/
  18. ebpf/
  19. fpu/
  20. fsdev/
  21. gdb-xml/
  22. gdbstub/
  23. host/
  24. hw/
  25. include/
  26. io/
  27. libdecnumber/
  28. linux-headers/
  29. linux-user/
  30. migration/
  31. monitor/
  32. nbd/
  33. net/
  34. pc-bios/
  35. plugins/
  36. po/
  37. python/
  38. qapi/
  39. qga/
  40. qobject/
  41. qom/
  42. replay/
  43. roms/
  44. rust/
  45. scripts/
  46. scsi/
  47. semihosting/
  48. stats/
  49. storage-daemon/
  50. stubs/
  51. subprojects/
  52. system/
  53. target/
  54. tcg/
  55. tests/
  56. tools/
  57. trace/
  58. ui/
  59. util/
  60. .dir-locals.el
  61. .editorconfig
  62. .exrc
  63. .gdbinit
  64. .git-blame-ignore-revs
  65. .gitattributes
  66. .gitignore
  67. .gitlab-ci.yml
  68. .gitmodules
  69. .gitpublish
  70. .mailmap
  71. .patchew.yml
  72. .readthedocs.yml
  73. .travis.yml
  74. block.c
  75. blockdev-nbd.c
  76. blockdev.c
  77. blockjob.c
  78. configure
  79. COPYING
  80. COPYING.LIB
  81. cpu-common.c
  82. cpu-target.c
  83. event-loop-base.c
  84. gitdm.config
  85. hmp-commands-info.hx
  86. hmp-commands.hx
  87. iothread.c
  88. job-qmp.c
  89. job.c
  90. Kconfig
  91. Kconfig.host
  92. LICENSE
  93. MAINTAINERS
  94. Makefile
  95. meson.build
  96. meson_options.txt
  97. module-common.c
  98. os-posix.c
  99. os-win32.c
  100. page-target.c
  101. page-vary-common.c
  102. page-vary-target.c
  103. pythondeps.toml
  104. qemu-bridge-helper.c
  105. qemu-edid.c
  106. qemu-img-cmds.hx
  107. qemu-img.c
  108. qemu-io-cmds.c
  109. qemu-io.c
  110. qemu-keymap.c
  111. qemu-nbd.c
  112. qemu-options.hx
  113. qemu.nsi
  114. qemu.sasl
  115. README.rst
  116. replication.c
  117. trace-events
  118. VERSION
  119. version.rc