An off-by-one error in a switch case in onenand_read() allowed
a misbehaving guest to read off the end of a block of memory.
This bug was revealed now that QEMU supports execution from
device memory: if started with no guest image loaded,
"qemu-system-arm -M n800" will now try to execute by reading
from this device's registers until it gets to the offset
triggering the segfault. Previously it would have run into
the "can't execute from device memory" assert first.
As a followup, patch 2 fixes some reporting so that we don't
trigger a hw_error() for reads of unimplemented registers.
With the two patches, execution now successfully results in
QEMU emulating the guest being off in the weeds...
NB: the onenand device is used only by the "n800" and "n810"
machines, which are usable only with TCG, not KVM, so the
segfault is not a security issue.
thanks
-- PMM
Peter Maydell (2):
hw/block/onenand: Fix off-by-one error allowing out-of-bounds read
hw/block/onenand: use qemu_log_mask() for reporting
hw/block/onenand.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
--
2.19.1
