mirror of
https://github.com/qemu/qemu.git
synced 2026-07-08 17:46:10 +00:00
Merge tag 's390x-20260629' of https://gitlab.com/cohuck/qemu into staging
Fix a potential way for an s390x/kvm guest to crash QEMU while filling a STSI buffer. # -----BEGIN PGP SIGNATURE----- # # iIgEABYKADAWIQRpo7U29cv8ZSCAJsHeiLtWQd5mwQUCakJyoxIcY29odWNrQHJl # ZGhhdC5jb20ACgkQ3oi7VkHeZsGXNQEA1pKKaD39nYxYTa3/wRQFIaa+eQ8q8IsH # GrbveEStsgwBAKWj6+tAgb4SQDdugu9UADMgdvZyAewmbYzL29/qn1MB # =Gqpa # -----END PGP SIGNATURE----- # gpg: Signature made Mon 29 Jun 2026 15:26:59 CEST # gpg: using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1 # gpg: issuer "cohuck@redhat.com" # gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown] # gpg: aka "Cornelia Huck <cohuck@kernel.org>" [unknown] # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full] # gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full] # gpg: aka "Cornelia Huck <cohuck@redhat.com>" [unknown] # gpg: WARNING: The key's User ID is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF # Subkey fingerprint: 69A3 B536 F5CB FC65 2080 26C1 DE88 BB56 41DE 66C1 * tag 's390x-20260629' of https://gitlab.com/cohuck/qemu: s390x/kvm: clamp stsi 3.2.2 size Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
@@ -1765,6 +1765,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
|
||||
} else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* The memory was filled by the kernel but mapped into the guest.
|
||||
* If something is fishy, do not touch the buffer.
|
||||
*/
|
||||
if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* Shift the stack of Extended Names to prepare for our own data */
|
||||
memmove(&sysib.ext_names[1], &sysib.ext_names[0],
|
||||
sizeof(sysib.ext_names[0]) * (sysib.count - 1));
|
||||
|
||||
Reference in New Issue
Block a user