[PULL 25/35] hw/i386: Improve bounds checking in OVMF table parsing

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Eduardo Habkost" <eduardo@habkost.net>,
	"Peter Maydell" <peter.maydell@linaro.org>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"Akihiko Odaki" <akihiko.odaki@gmail.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Thomas Huth" <huth@tuxfamily.org>,
	"Richard Henderson" <richard.henderson@linaro.org>,
	"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
	"Dov Murik" <dovmurik@linux.ibm.com>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>
Subject: [PULL 25/35] hw/i386: Improve bounds checking in OVMF table parsing
Date: Fri,  4 Mar 2022 15:21:13 +0100	[thread overview]
Message-ID: <20220304142123.956171-26-kraxel@redhat.com> (raw)
In-Reply-To: <20220304142123.956171-1-kraxel@redhat.com>

From: Dov Murik <dovmurik@linux.ibm.com>

When pc_system_parse_ovmf_flash() parses the optional GUIDed table in
the end of the OVMF flash memory area, the table length field is checked
for sizes that are too small, but doesn't error on sizes that are too
big (bigger than the flash content itself).

Add a check for maximal size of the OVMF table, and add an error report
in case the size is invalid.  In such a case, an error like this will be
displayed during launch:

    qemu-system-x86_64: OVMF table has invalid size 4047

and the table parsing is skipped.

Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220222071906.2632426-2-dovmurik@linux.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/i386/pc_sysfw_ovmf.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c
index f4dd92c58825..df15c9737b93 100644
--- a/hw/i386/pc_sysfw_ovmf.c
+++ b/hw/i386/pc_sysfw_ovmf.c
@@ -24,6 +24,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/error-report.h"
 #include "hw/i386/pc.h"
 #include "cpu.h"
 
@@ -66,7 +67,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, size_t flash_size)
     ptr -= sizeof(uint16_t);
     tot_len = le16_to_cpu(*(uint16_t *)ptr) - sizeof(guid) - sizeof(uint16_t);
 
-    if (tot_len <= 0) {
+    if (tot_len < 0 || tot_len > (ptr - flash_ptr)) {
+        error_report("OVMF table has invalid size %d", tot_len);
+        return;
+    }
+
+    if (tot_len == 0) {
+        /* no entries in the OVMF table */
         return;
     }
 
-- 
2.35.1

next prev parent reply	other threads:[~2022-03-04 15:06 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-04 14:20 [PULL 00/35] Kraxel 20220304 patches Gerd Hoffmann
2022-03-04 14:20 ` [PULL 01/35] hw/usb: pacify xhciwmi.exe warning Gerd Hoffmann
2022-03-04 14:20 ` [PULL 02/35] hw/usb/dev-mtp: create directories with a+x mode mask Gerd Hoffmann
2022-03-04 14:20 ` [PULL 03/35] usb/ohci: Move trace point and log ep number to help debugging Gerd Hoffmann
2022-03-04 14:20 ` [PULL 04/35] usb/ohci: Move cancelling async packet to ohci_stop_endpoints() Gerd Hoffmann
2022-03-04 14:20 ` [PULL 05/35] usb/ohci: Move USBPortOps related functions together Gerd Hoffmann
2022-03-04 14:20 ` [PULL 06/35] usb/ohci: Merge ohci_async_cancel_device() into ohci_child_detach() Gerd Hoffmann
2022-03-04 14:20 ` [PULL 07/35] usb/ohci: Don't use packet from OHCIState for isochronous transfers Gerd Hoffmann
2022-03-04 14:20 ` [PULL 08/35] audio: replace open-coded buffer arithmetic Gerd Hoffmann
2022-03-04 14:20 ` [PULL 09/35] audio: move function audio_pcm_hw_clip_out() Gerd Hoffmann
2022-03-04 14:20 ` [PULL 10/35] audio: add function audio_pcm_hw_conv_in() Gerd Hoffmann
2022-03-04 14:20 ` [PULL 11/35] audio: inline function audio_pcm_sw_get_rpos_in() Gerd Hoffmann
2022-03-04 14:21 ` [PULL 12/35] paaudio: increase default latency to 46ms Gerd Hoffmann
2022-03-04 14:21 ` [PULL 13/35] jackaudio: use more jack audio buffers Gerd Hoffmann
2022-03-04 14:21 ` [PULL 14/35] audio: copy playback stream in sequential order Gerd Hoffmann
2022-03-04 14:21 ` [PULL 15/35] audio: add pcm_ops function table for capture backend Gerd Hoffmann
2022-03-04 14:21 ` [PULL 16/35] Revert "audio: fix wavcapture segfault" Gerd Hoffmann
2022-03-04 14:21 ` [PULL 17/35] audio: restore mixing-engine playback buffer size Gerd Hoffmann
2022-03-04 14:21 ` [PULL 18/35] paaudio: reduce effective " Gerd Hoffmann
2022-03-04 14:21 ` [PULL 19/35] dsoundaudio: " Gerd Hoffmann
2022-03-04 14:21 ` [PULL 20/35] ossaudio: " Gerd Hoffmann
2022-03-04 14:21 ` [PULL 21/35] paaudio: fix samples vs. frames mix-up Gerd Hoffmann
2022-03-04 14:21 ` [PULL 22/35] sdlaudio: " Gerd Hoffmann
2022-03-04 14:21 ` [PULL 23/35] hw/usb/redirect.c: Stop using qemu_oom_check() Gerd Hoffmann
2022-03-04 14:21 ` [PULL 24/35] coreaudio: Notify error in coreaudio_init_out Gerd Hoffmann
2022-03-04 14:21 ` Gerd Hoffmann [this message]
2022-03-04 14:21 ` [PULL 26/35] hw/i386: Replace magic number with field length calculation Gerd Hoffmann
2022-03-04 14:21 ` [PULL 27/35] docs: Add spec of OVMF GUIDed table for SEV guests Gerd Hoffmann
2022-03-04 14:21 ` [PULL 28/35] ui/console: fix crash when using gl context with non-gl listeners Gerd Hoffmann
2022-03-04 14:21 ` [PULL 29/35] ui/console: fix texture leak when calling surface_gl_create_texture() Gerd Hoffmann
2022-03-04 14:21 ` [PULL 30/35] ui: do not create a surface when resizing a GL scanout Gerd Hoffmann
2022-03-04 14:21 ` [PULL 31/35] ui/clipboard: fix use-after-free regression Gerd Hoffmann
2022-03-04 14:21 ` [PULL 32/35] ui/cocoa: Add Services menu Gerd Hoffmann
2022-03-04 14:21 ` [PULL 33/35] softmmu/qdev-monitor: Add virtio-gpu-gl aliases Gerd Hoffmann
2022-03-04 14:21 ` [PULL 34/35] edid: Fix clock of Detailed Timing Descriptor Gerd Hoffmann
2022-03-04 14:21 ` [PULL 35/35] hw/display/vmware_vga: replace fprintf calls with trace events Gerd Hoffmann
2022-03-05 10:46 ` [PULL 00/35] Kraxel 20220304 patches Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f4dd92c5882 dfblob:df15c9737b9 )
 OR (
bs:"[PULL 25/35] hw/i386: Improve bounds checking in OVMF table parsing" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220304142123.956171-26-kraxel@redhat.com \
    --to=kraxel@redhat.com \
    --cc=akihiko.odaki@gmail.com \
    --cc=berrange@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=dovmurik@linux.ibm.com \
    --cc=eduardo@habkost.net \
    --cc=f4bug@amsat.org \
    --cc=huth@tuxfamily.org \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu_oss@crudebyte.com \
    --cc=richard.henderson@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).