Fix CVE-2018-7550: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7550 Patch copied from upstream source repository: https://git.qemu.org/?p=qemu.git;a=patch;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 From: Jack Schwartz Date: Thu, 21 Dec 2017 09:25:15 -0800 Subject: [PATCH] multiboot: bss_end_addr can be zero The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), section 3.1.3, allows for bss_end_addr to be zero. A zero bss_end_addr signifies there is no .bss section. Suggested-by: Daniel Kiper Signed-off-by: Jack Schwartz Reviewed-by: Daniel Kiper Reviewed-by: Prasad J Pandit Signed-off-by: Kevin Wolf --- hw/i386/multiboot.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index 46d9c68bf5..bb8d8e4629 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, mh_entry_addr = ldl_p(header+i+28); if (mh_load_end_addr) { - if (mh_bss_end_addr < mh_load_addr) { - fprintf(stderr, "invalid mh_bss_end_addr address\n"); - exit(1); - } - mb_kernel_size = mh_bss_end_addr - mh_load_addr; - if (mh_load_end_addr < mh_load_addr) { fprintf(stderr, "invalid mh_load_end_addr address\n"); exit(1); @@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, fprintf(stderr, "invalid kernel_file_size\n"); exit(1); } - mb_kernel_size = kernel_file_size - mb_kernel_text_offset; - mb_load_size = mb_kernel_size; + mb_load_size = kernel_file_size - mb_kernel_text_offset; + } + if (mh_bss_end_addr) { + if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { + fprintf(stderr, "invalid mh_bss_end_addr address\n"); + exit(1); + } + mb_kernel_size = mh_bss_end_addr - mh_load_addr; + } else { + mb_kernel_size = mb_load_size; } /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. -- 2.17.0