From a3f0e598fe4f078507e346e3cdb9beddc147a1f8 Mon Sep 17 00:00:00 2001
Message-Id: <a3f0e598fe4f078507e346e3cdb9beddc147a1f8.1335957620.git.minovotn@redhat.com>
From: Gleb Natapov <gleb@redhat.com>
Date: Tue, 24 Apr 2012 09:24:41 +0200
Subject: [PATCH] fix l1_map buffer overflow
RH-Author: Gleb Natapov <gleb@redhat.com>
Message-id: <20120424092441.GR15413@redhat.com>
Patchwork-id: 39419
O-Subject: [PATCH rhel5.9 rhel5.8.z] fix l1_map buffer overflow
Bugzilla: 814096
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Avi Kivity <avi@redhat.com>
l1_map[] array is L1_SIZE long. If index equals L2_SIZE * L1_SIZE then
index >> L2_BITS will point beyond l1_map[].
Credit goes to Ulrich Obergfell for finding the bug.
BZ: 814096
Upstream: Not needed. The code is rewritten.
Signed-off-by: Gleb Natapov <gleb@redhat.com>
--
Gleb.
Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
qemu/exec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/qemu/exec.c b/qemu/exec.c
index 2b621b4..75260c5 100644
--- a/qemu/exec.c
+++ b/qemu/exec.c
@@ -296,7 +296,7 @@ static inline PageDesc **page_l1_map(target_ulong index)
#if TARGET_LONG_BITS > 32
/* Host memory outside guest VM. For 32-bit targets we have already
excluded high addresses. */
- if (index > ((target_ulong)L2_SIZE * L1_SIZE))
+ if (index >= ((target_ulong)L2_SIZE * L1_SIZE))
return NULL;
#endif
return &l1_map[index >> L2_BITS];
--
1.7.7.6
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
340e01248478ba8b78a6d4d1809b1eff
>
files
>
367
