aboutsummaryrefslogtreecommitdiff
path: root/hw/xen
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2018-11-19 16:26:58 +0000
committerAnthony PERARD <anthony.perard@citrix.com>2019-01-14 13:45:40 +0000
commit6c4f984463a269e4d4f3684de957e3c548af409a (patch)
tree3376c10b3a241a3a58b1fc640c5f698ec157782f /hw/xen
parent7260438b7056469610ee166f7abe9ff8a26b8b16 (diff)
hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much
Coverity (CID 796599) points out that xen_pt_setup_vga() trusts the rom->size field in the BIOS ROM from a PCI passthrough VGA device, and uses it as an index into the memory which contains the BIOS image. A corrupt BIOS ROM could therefore cause us to index off the end of the buffer. Check that the size is within bounds before we use it. We are also trusting the pcioffset field, and assuming that the whole rom_header is present; Coverity doesn't notice these, but check them too. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Diffstat (limited to 'hw/xen')
-rw-r--r--hw/xen/xen_pt_graphics.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/hw/xen/xen_pt_graphics.c b/hw/xen/xen_pt_graphics.c
index 135c8df1e7..60d6b4a556 100644
--- a/hw/xen/xen_pt_graphics.c
+++ b/hw/xen/xen_pt_graphics.c
@@ -185,8 +185,19 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev,
return;
}
+ if (bios_size < sizeof(struct rom_header)) {
+ error_setg(errp, "VGA: VBIOS image corrupt (too small)");
+ return;
+ }
+
/* Currently we fixed this address as a primary. */
rom = (struct rom_header *)bios;
+
+ if (rom->pcioffset + sizeof(struct pci_data) > bios_size) {
+ error_setg(errp, "VGA: VBIOS image corrupt (bad pcioffset field)");
+ return;
+ }
+
pd = (void *)(bios + (unsigned char)rom->pcioffset);
/* We may need to fixup Device Identification. */
@@ -194,6 +205,11 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev,
pd->device = s->real_device.device_id;
len = rom->size * 512;
+ if (len > bios_size) {
+ error_setg(errp, "VGA: VBIOS image corrupt (bad size field)");
+ return;
+ }
+
/* Then adjust the bios checksum */
for (c = (char *)bios; c < ((char *)bios + len); c++) {
checksum += *c;