Skip to content
Snippets Groups Projects
Commit 5eb0b194 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by Peter Maydell
Browse files

cadence_uart: bounds check write offset 


cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: default avatar李强 <liqiang6-s@360.cn>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: default avatarAlistair Francis <alistair.francis@xilinx.com>
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parent a087cc58
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 3 additions and 0 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment