From b17a9054a0652a1481be48a6729e972abf02412f Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Wed, 14 Mar 2018 17:46:38 +0100 Subject: multiboot: Reject kernels exceeding the address space The code path where mh_load_end_addr is non-zero in the Multiboot header checks that mh_load_end_addr >= mh_load_addr and so mb_load_size is checked. However, mb_load_size is not checked when calculated from the file size, when mh_load_end_addr is 0. If the kernel binary size is larger than can fit in the address space after load_addr, we ended up with a kernel_size that is smaller than load_size, which means that we read the file into a too small buffer. Add a check to reject kernel files with such Multiboot headers. Signed-off-by: Kevin Wolf Reviewed-by: Jack Schwartz --- hw/i386/multiboot.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'hw/i386') diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index b9064264d8..1e215bf8d3 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -247,6 +247,10 @@ int load_multiboot(FWCfgState *fw_cfg, } mb_load_size = kernel_file_size - mb_kernel_text_offset; } + if (mb_load_size > UINT32_MAX - mh_load_addr) { + error_report("kernel does not fit in address space"); + exit(1); + } if (mh_bss_end_addr) { if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { error_report("invalid bss_end_addr address"); -- cgit v1.2.3