diff options
| author | Philippe Mathieu-Daudé | 2022-11-28 21:27:41 +0100 |
|---|---|---|
| committer | Stefan Hajnoczi | 2022-11-30 00:15:26 +0100 |
| commit | 86fdb0582c653a9824183679403a85f588260d62 (patch) | |
| tree | e9fd4e0489a7748b6b512833fc041cdef605966e | |
| parent | hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) (diff) | |
| download | qemu-86fdb0582c653a9824183679403a85f588260d62.tar.gz qemu-86fdb0582c653a9824183679403a85f588260d62.tar.xz qemu-86fdb0582c653a9824183679403a85f588260d62.zip | |
hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-6-philmd@linaro.org>
| -rw-r--r-- | hw/display/qxl.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 0b21626aad..6772849dec 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -1384,6 +1384,7 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta, qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region); return 1; } + assert(guest_end - pci_start <= memory_region_size(mr)); virt_start = (intptr_t)memory_region_get_ram_ptr(mr); memslot.slot_id = slot_id; |