On Mon, Oct 24, 2022 at 05:42:33PM +0200, Christian A. Ehrhardt wrote:
> - Fix memset argument order: The second argument is
> the value, the length goes last.
> - Fix an integer overflow reported by Alexander Bulekov.
>
> Both issues allow the guest to overrun the host buffer
> allocated for the ERST memory device.
>
> Cc: Eric DeVolder <[email protected]
> Cc: Alexander Bulekov <[email protected]>
> Cc: [email protected]
> Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
> Tested-by: Alexander Bulekov <[email protected]>
> Signed-off-by: Christian A. Ehrhardt <[email protected]>
queued, thanks!
> ---
> hw/acpi/erst.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
> index df856b2669..aefcc03ad6 100644
> --- a/hw/acpi/erst.c
> +++ b/hw/acpi/erst.c
> @@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
> if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
> rc = STATUS_FAILED;
> }
> - if ((s->record_offset + record_length) > exchange_length) {
> + if (record_length > exchange_length - s->record_offset) {
> rc = STATUS_FAILED;
> }
> /* If all is ok, copy the record to the exchange buffer */
> @@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
> if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
> return STATUS_FAILED;
> }
> - if ((s->record_offset + record_length) > exchange_length) {
> + if (record_length > exchange_length - s->record_offset) {
> return STATUS_FAILED;
> }
>
> @@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
> if (nvram) {
> /* Write the record into the slot */
> memcpy(nvram, exchange, record_length);
> - memset(nvram + record_length, exchange_length - record_length, 0xFF);
> + memset(nvram + record_length, 0xFF, exchange_length - record_length);
> /* If a new record, increment the record_count */
> if (!record_found) {
> uint32_t record_count;
> --
> 2.34.1
