From a3f0e598fe4f078507e346e3cdb9beddc147a1f8 Mon Sep 17 00:00:00 2001 Message-Id: <a3f0e598fe4f078507e346e3cdb9beddc147a1f8.1335957620.git.minovotn@redhat.com> From: Gleb Natapov <gleb@redhat.com> Date: Tue, 24 Apr 2012 09:24:41 +0200 Subject: [PATCH] fix l1_map buffer overflow RH-Author: Gleb Natapov <gleb@redhat.com> Message-id: <20120424092441.GR15413@redhat.com> Patchwork-id: 39419 O-Subject: [PATCH rhel5.9 rhel5.8.z] fix l1_map buffer overflow Bugzilla: 814096 RH-Acked-by: Laszlo Ersek <lersek@redhat.com> RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com> RH-Acked-by: Avi Kivity <avi@redhat.com> l1_map[] array is L1_SIZE long. If index equals L2_SIZE * L1_SIZE then index >> L2_BITS will point beyond l1_map[]. Credit goes to Ulrich Obergfell for finding the bug. BZ: 814096 Upstream: Not needed. The code is rewritten. Signed-off-by: Gleb Natapov <gleb@redhat.com> -- Gleb. Signed-off-by: Michal Novotny <minovotn@redhat.com> --- qemu/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/qemu/exec.c b/qemu/exec.c index 2b621b4..75260c5 100644 --- a/qemu/exec.c +++ b/qemu/exec.c @@ -296,7 +296,7 @@ static inline PageDesc **page_l1_map(target_ulong index) #if TARGET_LONG_BITS > 32 /* Host memory outside guest VM. For 32-bit targets we have already excluded high addresses. */ - if (index > ((target_ulong)L2_SIZE * L1_SIZE)) + if (index >= ((target_ulong)L2_SIZE * L1_SIZE)) return NULL; #endif return &l1_map[index >> L2_BITS]; -- 1.7.7.6