A guest could overwrite host memory by writing to cmos index bigger than 128.
This patch adds a boundry check to limit it to that size. Cc: Alessandro Zummo <[email protected]> Cc: [email protected] Signed-off-by: Sasha Levin <[email protected]> --- tools/kvm/hw/rtc.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c index fad140f..1471521 100644 --- a/tools/kvm/hw/rtc.c +++ b/tools/kvm/hw/rtc.c @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v ioport__write8(data, bin2bcd(tm->tm_year)); break; default: + if (rtc.cmos_idx >= 128) + break; ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); break; } @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port, /* Read-only */ break; default: + if (rtc.cmos_idx >= 128) + break; rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); break; } -- 1.7.8.rc3 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
