On Mon, 25 Jun 2018 10:31:52 +0200 Thomas Huth <[email protected]> wrote:
> On 15.06.2018 11:49, Thomas Huth wrote: > > The rom_ptr() function allows direct access to the ROM blobs that we > > load during startup. However, there are currently no checks for the > > size of the accesses, so it's currently possible to crash QEMU for > > example with: > > > > $ echo "Insane in the mainframe" > /tmp/test.txt > > $ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -append xyz > > Segmentation fault (core dumped) > > $ s390x-softmmu/qemu-system-s390x -kernel /tmp/test.txt -initrd > > /tmp/test.txt > > Segmentation fault (core dumped) > > $ echo -n HdrS > /tmp/hdr.txt > > $ sparc64-softmmu/qemu-system-sparc64 -kernel /tmp/hdr.txt -initrd > > /tmp/hdr.txt > > Segmentation fault (core dumped) > > > > We need a possibility to check the size of the ROM area that we want > > to access, thus let's add a size parameter to the rom_ptr() function > > to avoid these problems. > > > > Signed-off-by: Thomas Huth <[email protected]> > > Ping! > > Could anybody please pick this patch up? Qemu-trivial seems to be pretty > dormant these days (?), so maybe Paolo via misc? Or either the s390x or > Sparc tree, since it fixes a crash on these machines? If nobody else wants it, I can take it through the s390x tree. Would not mind some more acks, though.
