On Tue, 2011-11-29 at 15:07 +0200, Pekka Enberg wrote: > On Tue, 29 Nov 2011, Sasha Levin wrote: > > A guest could overwrite host memory by writing to cmos index bigger than > > 128. > > > > This patch adds a boundry check to limit it to that size. > > > > Cc: Alessandro Zummo <a.zu...@towertech.it> > > Cc: rtc-li...@googlegroups.com > > Signed-off-by: Sasha Levin <levinsasha...@gmail.com> > > --- > > tools/kvm/hw/rtc.c | 4 ++++ > > 1 files changed, 4 insertions(+), 0 deletions(-) > > > > diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c > > index fad140f..1471521 100644 > > --- a/tools/kvm/hw/rtc.c > > +++ b/tools/kvm/hw/rtc.c > > @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, > > struct kvm *kvm, u16 port, v > > ioport__write8(data, bin2bcd(tm->tm_year)); > > break; > > default: > > + if (rtc.cmos_idx >= 128) > > + break; > > ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]); > > break; > > } > > @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, > > struct kvm *kvm, u16 port, > > /* Read-only */ > > break; > > default: > > + if (rtc.cmos_idx >= 128) > > + break; > > rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data); > > break; > > } > > We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can > never be over 127.
Right. Please ignore this patch :) -- Sasha. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
