From: Kevin Wolf <kw...@redhat.com>
The code path where mh_load_end_addr is non-zero in the Multiboot
header checks that mh_load_end_addr >= mh_load_addr and so
mb_load_size is checked. However, mb_load_size is not checked when
calculated from the file size, when mh_load_end_addr is 0.
If the kernel binary size is larger than can fit in the address space
after load_addr, we ended up with a kernel_size that is smaller than
load_size, which means that we read the file into a too small buffer.
Add a check to reject kernel files with such Multiboot headers.
Signed-off-by: Kevin Wolf <kw...@redhat.com>
Reviewed-by: Jack Schwartz <jack.schwa...@oracle.com>
(cherry picked from commit b17a9054a0652a1481be48a6729e972abf02412f)
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
---
hw/i386/multiboot.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index d9a0a95a2f..775aa5bfd0 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -247,6 +247,10 @@ int load_multiboot(FWCfgState *fw_cfg,
}
mb_load_size = kernel_file_size - mb_kernel_text_offset;
}
+ if (mb_load_size > UINT32_MAX - mh_load_addr) {
+ error_report("kernel does not fit in address space");
+ exit(1);
+ }
if (mh_bss_end_addr) {
if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
error_report("invalid bss_end_addr address");
--
2.11.0
