From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Subject: [PATCH 3/3] kvm tools: Add boundry check for rtc cmos index Date: Tue, 29 Nov 2011 10:35:35 +0200 Message-ID: <1322555735-32163-3-git-send-email-levinsasha928@gmail.com> References: <1322555735-32163-1-git-send-email-levinsasha928@gmail.com> Cc: kvm@vger.kernel.org, mingo@elte.hu, asias.hejun@gmail.com, gorcunov@gmail.com, Sasha Levin , Alessandro Zummo , rtc-linux@googlegroups.com To: penberg@kernel.org Return-path: Received: from mail-ey0-f174.google.com ([209.85.215.174]:55419 "EHLO mail-ey0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753466Ab1K2IgC (ORCPT ); Tue, 29 Nov 2011 03:36:02 -0500 Received: by mail-ey0-f174.google.com with SMTP id k14so2746785eaa.19 for ; Tue, 29 Nov 2011 00:36:01 -0800 (PST) In-Reply-To: <1322555735-32163-1-git-send-email-levinsasha928@gmail.com> Sender: kvm-owner@vger.kernel.org List-ID: A guest could overwrite host memory by writing to cmos index bigger than 128. This patch adds a boundry check to limit it to that size. Cc: Alessandro Zummo Cc: rtc-linux@googlegroups.com Signed-off-by: Sasha Levin --- tools/kvm/hw/rtc.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c index fad140f..1471521 100644 --- a/tools/kvm/hw/rtc.c +++ b/tools/kvm/hw/rtc.c @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v ioport__write8(data, bin2bcd(tm->tm_year)); break; default: + if (rtc.cmos_idx >= 128) + break; ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); break; } @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port, /* Read-only */ break; default: + if (rtc.cmos_idx >= 128) + break; rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); break; } -- 1.7.8.rc3