From mboxrd@z Thu Jan  1 00:00:00 1970
From: Sasha Levin <levinsasha928@gmail.com>
Subject: Re: [PATCH 3/3] kvm tools: Add boundry check for rtc cmos index
Date: Tue, 29 Nov 2011 22:11:51 +0200
Message-ID: <1322597511.7003.16.camel@lappy>
References: <1322555735-32163-1-git-send-email-levinsasha928@gmail.com>
	 <1322555735-32163-3-git-send-email-levinsasha928@gmail.com>
	 <alpine.LFD.2.02.1111291506230.9333@tux.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: kvm@vger.kernel.org, mingo@elte.hu, asias.hejun@gmail.com,
	gorcunov@gmail.com, Alessandro Zummo <a.zummo@towertech.it>,
	rtc-linux@googlegroups.com
To: Pekka Enberg <penberg@kernel.org>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-bw0-f46.google.com ([209.85.214.46]:32916 "EHLO
	mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756287Ab1K2UMD (ORCPT <rfc822;kvm@vger.kernel.org>);
	Tue, 29 Nov 2011 15:12:03 -0500
Received: by bkas6 with SMTP id s6so964693bka.19
        for <kvm@vger.kernel.org>; Tue, 29 Nov 2011 12:12:02 -0800 (PST)
In-Reply-To: <alpine.LFD.2.02.1111291506230.9333@tux.localdomain>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Tue, 2011-11-29 at 15:07 +0200, Pekka Enberg wrote:
> On Tue, 29 Nov 2011, Sasha Levin wrote:
> > A guest could overwrite host memory by writing to cmos index bigger than 128.
> >
> > This patch adds a boundry check to limit it to that size.
> >
> > Cc: Alessandro Zummo <a.zummo@towertech.it>
> > Cc: rtc-linux@googlegroups.com
> > Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
> > ---
> > tools/kvm/hw/rtc.c |    4 ++++
> > 1 files changed, 4 insertions(+), 0 deletions(-)
> >
> > diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c
> > index fad140f..1471521 100644
> > --- a/tools/kvm/hw/rtc.c
> > +++ b/tools/kvm/hw/rtc.c
> > @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v
> > 		ioport__write8(data, bin2bcd(tm->tm_year));
> > 		break;
> > 	default:
> > +		if (rtc.cmos_idx >= 128)
> > +			break;
> > 		ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]);
> > 		break;
> > 	}
> > @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port,
> > 		/* Read-only */
> > 		break;
> > 	default:
> > +		if (rtc.cmos_idx >= 128)
> > +			break;
> > 		rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data);
> > 		break;
> > 	}
> 
> We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can 
> never be over 127.

Right. Please ignore this patch :)

-- 

Sasha.