[PULL,10/29] elf-ops.h: fix int overflow in load_elf()

Message ID	1568644929-9124-11-git-send-email-pbonzini@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=vwJ/=XL=nongnu.org=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 374C3206C2 From: Paolo Bonzini <pbonzini@redhat.com> To: qemu-devel@nongnu.org Date: Mon, 16 Sep 2019 16:41:50 +0200 Message-Id: <1568644929-9124-11-git-send-email-pbonzini@redhat.com> In-Reply-To: <1568644929-9124-1-git-send-email-pbonzini@redhat.com> References: <1568644929-9124-1-git-send-email-pbonzini@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [Qemu-devel] [PULL 10/29] elf-ops.h: fix int overflow in load_elf() Precedence: list Cc: Stefano Garzarella <sgarzare@redhat.com> Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	[PULL,01/29] i386/kvm: support guest access CORE cstate \| expand [PULL,01/29] i386/kvm: support guest access CORE cstate [PULL,02/29] exec.c: replace hwaddr with uint64_t for better understanding [PULL,03/29] exec.c: get nodes_nb_alloc with one MAX calculation [PULL,04/29] exec.c: subpage->sub_section is already initialized to 0 [PULL,05/29] exec.c: correct the maximum skip value during compact [PULL,06/29] exec.c: add a check between constants to see whether we could skip [PULL,07/29] win32: fix README file in NSIS installer [PULL,08/29] test-char: fix AddressSanitizer failure [PULL,09/29] hw/i386: Move CONFIG_ACPI_PCI to CONFIG_PC [PULL,10/29] elf-ops.h: fix int overflow in load_elf() [PULL,11/29] memory: fetch pmem size in get_file_size() [PULL,12/29] memory: inline and optimize devend_memop [PULL,13/29] qemu-thread: Add qemu_cond_timedwait [PULL,14/29] cpus: Fix throttling during vm_stop [PULL,15/29] hw/i386/pc: Use e820_get_num_entries() to access e820_entries [PULL,16/29] hw/i386/pc: Extract e820 memory layout code [PULL,17/29] hw/i386/pc: Use address_space_memory in place [PULL,18/29] hw/i386/pc: Rename bochs_bios_init as more generic fw_cfg_arch_create [PULL,19/29] hw/i386/pc: Pass the boot_cpus value by argument [PULL,20/29] hw/i386/pc: Pass the apic_id_limit value by argument [PULL,21/29] hw/i386/pc: Pass the CPUArchIdList array by argument [PULL,22/29] hw/i386/pc: Replace PCMachineState argument with MachineState in fw_cfg_arch_create [PULL,23/29] hw/i386/pc: Let pc_build_smbios() take a FWCfgState argument [PULL,24/29] hw/i386/pc: Let pc_build_smbios() take a generic MachineState argument [PULL,25/29] hw/i386/pc: Rename pc_build_smbios() as generic fw_cfg_build_smbios() [PULL,26/29] hw/i386/pc: Let pc_build_feature_control() take a FWCfgState argument [PULL,27/29] hw/i386/pc: Let pc_build_feature_control() take a MachineState argument [PULL,28/29] hw/i386/pc: Rename pc_build_feature_control() as generic fw_cfg_build_* [PULL,29/29] hw/i386/pc: Extract the x86 generic fw_cfg code

Message ID

1568644929-9124-11-git-send-email-pbonzini@redhat.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 374C3206C2
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Date: Mon, 16 Sep 2019 16:41:50 +0200
Message-Id: <1568644929-9124-11-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1568644929-9124-1-git-send-email-pbonzini@redhat.com>
References: <1568644929-9124-1-git-send-email-pbonzini@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: [Qemu-devel] [PULL 10/29] elf-ops.h: fix int overflow in load_elf()
Precedence: list
Cc: Stefano Garzarella <sgarzare@redhat.com>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Series

[PULL,01/29] i386/kvm: support guest access CORE cstate | expand

Commit Message

Paolo Bonzini Sept. 16, 2019, 2:41 p.m. UTC

From: Stefano Garzarella <sgarzare@redhat.com>

This patch fixes a possible integer overflow when we calculate
the total size of ELF segments loaded.

Reported-by: Coverity (CID 1405299)
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20190910124828.39794-1-sgarzare@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/core/loader.c     | 2 ++
 include/hw/elf_ops.h | 5 +++++
 include/hw/loader.h  | 1 +
 3 files changed, 8 insertions(+)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index 32f7cc7..75eb56d 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -338,6 +338,8 @@  const char *load_elf_strerror(int error)
         return "The image is from incompatible architecture";
     case ELF_LOAD_WRONG_ENDIAN:
         return "The image has incorrect endianness";
+    case ELF_LOAD_TOO_BIG:
+        return "The image segments are too big to load";
     default:
         return "Unknown error";
     }
diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index 1496d7e..e07d276 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -485,6 +485,11 @@  static int glue(load_elf, SZ)(const char *name, int fd,
                 }
             }
 
+            if (mem_size > INT_MAX - total_size) {
+                ret = ELF_LOAD_TOO_BIG;
+                goto fail;
+            }
+
             /* address_offset is hack for kernel images that are
                linked at the wrong physical address.  */
             if (translate_fn) {
diff --git a/include/hw/loader.h b/include/hw/loader.h
index 07fd928..48a96cd 100644
--- a/include/hw/loader.h
+++ b/include/hw/loader.h
@@ -89,6 +89,7 @@  int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz);
 #define ELF_LOAD_NOT_ELF      -2
 #define ELF_LOAD_WRONG_ARCH   -3
 #define ELF_LOAD_WRONG_ENDIAN -4
+#define ELF_LOAD_TOO_BIG      -5
 const char *load_elf_strerror(int error);
 
 /** load_elf_ram_sym:

[PULL,10/29] elf-ops.h: fix int overflow in load_elf()

Commit Message

Patch