| Brad Bishop | 220d553 | 2018-08-14 00:59:39 +0100 | [diff] [blame] | 1 | From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jack Schwartz <jack.schwartz@oracle.com> |
| 3 | Date: Thu, 21 Dec 2017 09:25:15 -0800 |
| 4 | Subject: [PATCH] multiboot: bss_end_addr can be zero |
| 5 | |
| 6 | The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), |
| 7 | section 3.1.3, allows for bss_end_addr to be zero. |
| 8 | |
| 9 | A zero bss_end_addr signifies there is no .bss section. |
| 10 | |
| 11 | CVE: CVE-2018-7550 |
| 12 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8] |
| 13 | |
| 14 | Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 15 | Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com> |
| 16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 17 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> |
| 18 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> |
| 19 | Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> |
| 20 | --- |
| 21 | hw/i386/multiboot.c | 18 ++++++++++-------- |
| 22 | 1 file changed, 10 insertions(+), 8 deletions(-) |
| 23 | |
| 24 | diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c |
| 25 | index 46d9c68bf5..bb8d8e4629 100644 |
| 26 | --- a/hw/i386/multiboot.c |
| 27 | +++ b/hw/i386/multiboot.c |
| 28 | @@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, |
| 29 | mh_entry_addr = ldl_p(header+i+28); |
| 30 | |
| 31 | if (mh_load_end_addr) { |
| 32 | - if (mh_bss_end_addr < mh_load_addr) { |
| 33 | - fprintf(stderr, "invalid mh_bss_end_addr address\n"); |
| 34 | - exit(1); |
| 35 | - } |
| 36 | - mb_kernel_size = mh_bss_end_addr - mh_load_addr; |
| 37 | - |
| 38 | if (mh_load_end_addr < mh_load_addr) { |
| 39 | fprintf(stderr, "invalid mh_load_end_addr address\n"); |
| 40 | exit(1); |
| 41 | @@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, |
| 42 | fprintf(stderr, "invalid kernel_file_size\n"); |
| 43 | exit(1); |
| 44 | } |
| 45 | - mb_kernel_size = kernel_file_size - mb_kernel_text_offset; |
| 46 | - mb_load_size = mb_kernel_size; |
| 47 | + mb_load_size = kernel_file_size - mb_kernel_text_offset; |
| 48 | + } |
| 49 | + if (mh_bss_end_addr) { |
| 50 | + if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { |
| 51 | + fprintf(stderr, "invalid mh_bss_end_addr address\n"); |
| 52 | + exit(1); |
| 53 | + } |
| 54 | + mb_kernel_size = mh_bss_end_addr - mh_load_addr; |
| 55 | + } else { |
| 56 | + mb_kernel_size = mb_load_size; |
| 57 | } |
| 58 | |
| 59 | /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. |
| 60 | -- |
| 61 | 2.13.3 |
| 62 | |