Commit d434e5ac authored by linzhecheng's avatar linzhecheng Committed by Michael S. Tsirkin
Browse files

virtio-serial: fix heap-over-flow 



Check device having the feature of VIRTIO_CONSOLE_F_EMERG_WRITE before
get config->emerg_wr. It is neccessary because sizeof(virtio_console_config)
is 8 byte if VirtIOSerial doesn't have the feature of
VIRTIO_CONSOLE_F_EMERG_WRITE(see virtio_serial_device_realize),
read/write emerg_wr will lead to heap-over-flow.

Signed-off-by: default avatarlinzhecheng <linzhecheng@huawei.com>
Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
parent e7b94a84

hw/char/virtio-serial-bus.c

+5 −2
Original line number Diff line number Diff line
@@ -580,13 +580,16 @@ static void set_config(VirtIODevice *vdev, const uint8_t *config_data) 
    VirtIOSerial *vser = VIRTIO_SERIAL(vdev);

    struct virtio_console_config *config =

        (struct virtio_console_config *)config_data;

    uint8_t emerg_wr_lo = le32_to_cpu(config->emerg_wr);

    VirtIOSerialPort *port = find_first_connected_console(vser);

    VirtIOSerialPortClass *vsc;

    uint8_t emerg_wr_lo;



    if (!config->emerg_wr) {

    if (!virtio_has_feature(vser->host_features,

        VIRTIO_CONSOLE_F_EMERG_WRITE) || !config->emerg_wr) {

        return;

    }



    emerg_wr_lo = le32_to_cpu(config->emerg_wr);

    /* Make sure we don't misdetect an emergency write when the guest

     * does a short config write after an emergency write. */

    config->emerg_wr = 0;