Google Git
Sign in
qemu / qemu / 7174e54cf14290233f4ae3e989ebc7b507636e77
commit7174e54cf14290233f4ae3e989ebc7b507636e77[log] [tgz]
authorJan Kiszka <jan.kiszka@siemens.com>Mon Sep 30 12:35:13 2013 +0200
committerGleb Natapov <gleb@redhat.com>Fri Oct 04 13:13:16 2013 +0300
tree368e14461ebaedec159665866011bfb3e779b02c
parent2560f19f426aceb4f2e809d860b93e7573cb1c4e [diff]
kvmvapic: Prevent reading beyond the end of guest RAM

rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
writen 16-bit value) and can be influenced to point beyond the end of
the host memory backing the guest's RAM. Make sure we do not use this
pointer to actually read beyond the limits.

Reading arbitrary guest bytes is harmless, the guest kernel has to
manage access to this I/O port anyway.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
1 file changed
tree: 368e14461ebaedec159665866011bfb3e779b02c
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. default-configs/
  6. disas/
  7. docs/
  8. fpu/
  9. fsdev/
  10. gdb-xml/
  11. hw/
  12. include/
  13. libcacard/
  14. linux-headers/
  15. linux-user/
  16. net/
  17. pc-bios/
  18. po/
  19. qapi/
  20. qga/
  21. qobject/
  22. qom/
  23. roms/
  24. scripts/
  25. slirp/
  26. stubs/
  27. sysconfigs/
  28. target-alpha/
  29. target-arm/
  30. target-cris/
  31. target-i386/
  32. target-lm32/
  33. target-m68k/
  34. target-microblaze/
  35. target-mips/
  36. target-moxie/
  37. target-openrisc/
  38. target-ppc/
  39. target-s390x/
  40. target-sh4/
  41. target-sparc/
  42. target-unicore32/
  43. target-xtensa/
  44. tcg/
  45. tests/
  46. trace/
  47. ui/
  48. util/
  49. dtc
  50. pixman
  51. .exrc
  52. .gitignore
  53. .gitmodules
  54. .mailmap
  55. aio-posix.c
  56. aio-win32.c
  57. arch_init.c
  58. async.c
  59. balloon.c
  60. block-migration.c
  61. block.c
  62. blockdev-nbd.c
  63. blockdev.c
  64. blockjob.c
  65. bt-host.c
  66. bt-vhci.c
  67. Changelog
  68. CODING_STYLE
  69. configure
  70. COPYING
  71. COPYING.LIB
  72. coroutine-gthread.c
  73. coroutine-sigaltstack.c
  74. coroutine-ucontext.c
  75. coroutine-win32.c
  76. cpu-exec.c
  77. cpus.c
  78. cputlb.c
  79. device-hotplug.c
  80. device_tree.c
  81. disas.c
  82. dma-helpers.c
  83. dump.c
  84. exec.c
  85. gdbstub.c
  86. HACKING
  87. hmp-commands.hx
  88. hmp.c
  89. hmp.h
  90. iohandler.c
  91. ioport.c
  92. kvm-all.c
  93. kvm-stub.c
  94. LICENSE
  95. main-loop.c
  96. MAINTAINERS
  97. Makefile
  98. Makefile.objs
  99. Makefile.target
  100. memory.c
  101. memory_mapping.c
  102. migration-exec.c
  103. migration-fd.c
  104. migration-rdma.c
  105. migration-tcp.c
  106. migration-unix.c
  107. migration.c
  108. monitor.c
  109. nbd.c
  110. os-posix.c
  111. os-win32.c
  112. page_cache.c
  113. qapi-schema.json
  114. qdev-monitor.c
  115. qdict-test-data.txt
  116. qemu-bridge-helper.c
  117. qemu-char.c
  118. qemu-coroutine-io.c
  119. qemu-coroutine-lock.c
  120. qemu-coroutine-sleep.c
  121. qemu-coroutine.c
  122. qemu-doc.texi
  123. qemu-img-cmds.hx
  124. qemu-img.c
  125. qemu-img.texi
  126. qemu-io-cmds.c
  127. qemu-io.c
  128. qemu-log.c
  129. qemu-nbd.c
  130. qemu-nbd.texi
  131. qemu-options-wrapper.h
  132. qemu-options.h
  133. qemu-options.hx
  134. qemu-seccomp.c
  135. qemu-tech.texi
  136. qemu-timer.c
  137. qemu.nsi
  138. qemu.sasl
  139. qmp-commands.hx
  140. qmp.c
  141. qtest.c
  142. readline.c
  143. README
  144. rules.mak
  145. savevm.c
  146. spice-qemu-char.c
  147. tcg-runtime.c
  148. tci.c
  149. thread-pool.c
  150. thunk.c
  151. tpm.c
  152. trace-events
  153. translate-all.c
  154. translate-all.h
  155. user-exec.c
  156. VERSION
  157. version.rc
  158. vl.c
  159. xbzrle.c
  160. xen-all.c
  161. xen-mapcache.c
  162. xen-stub.c