1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
device: 0.886
performance: 0.835
graphic: 0.759
semantic: 0.704
mistranslation: 0.676
network: 0.654
architecture: 0.620
register: 0.606
kernel: 0.602
i386: 0.575
peripherals: 0.566
PID: 0.562
hypervisor: 0.545
permissions: 0.544
risc-v: 0.517
debug: 0.506
x86: 0.503
vnc: 0.493
files: 0.468
ppc: 0.466
assembly: 0.463
socket: 0.462
VMM: 0.451
virtual: 0.446
user-level: 0.419
arm: 0.405
boot: 0.384
TCG: 0.347
KVM: 0.246
Missing checks for non-existent device in ide_exec_cmd
Several calls in the ide_exec_cmd handler are missing checks for (!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-zero, or possibly other badness if the guest performs operations on a non-existent IDE master.
For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s, s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads * s->sectors);', which will fail with a divide-by-zero if heads = sectors = 0.
And WIN_MULTREAD also does not check for s->bs, but does a 'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num, s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
I do not *believe* that a malicious guest can do anything more than cause a crash with these bugs.
The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience.
[Expired for QEMU because there has been no activity for 60 days.]
|