From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34747) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ewAGI-00038k-11 for qemu-devel@nongnu.org; Wed, 14 Mar 2018 13:32:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewAGH-0004CZ-CC for qemu-devel@nongnu.org; Wed, 14 Mar 2018 13:32:26 -0400 From: Kevin Wolf Date: Wed, 14 Mar 2018 18:32:10 +0100 Message-Id: <20180314173213.18563-3-kwolf@redhat.com> In-Reply-To: <20180314173213.18563-1-kwolf@redhat.com> References: <20180314173213.18563-1-kwolf@redhat.com> Subject: [Qemu-devel] [PATCH 2/5] multiboot: Check validity of mh_header_addr List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kwolf@redhat.com, qemu-stable@nongnu.org, jack.schwartz@oracle.com, anatol.pomozov@gmail.com, ppandit@redhat.com I couldn't find a case where this prevents something bad from happening that isn't already caught by other checks, but let's err on the safe side and check that mh_header_addr is as expected. Signed-off-by: Kevin Wolf --- hw/i386/multiboot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index 1e215bf8d3..5bc0a2cddb 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -229,6 +229,10 @@ int load_multiboot(FWCfgState *fw_cfg, error_report("invalid load_addr address"); exit(1); } + if (mh_header_addr - mh_load_addr > i) { + error_report("invalid header_addr address"); + exit(1); + } uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); uint32_t mb_load_size = 0; -- 2.13.6