blob: 5eb465411e03f1fb487becaf8356252b9223ceca (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
graphic: 0.951
semantic: 0.932
ppc: 0.897
architecture: 0.837
device: 0.778
socket: 0.728
network: 0.666
vnc: 0.616
boot: 0.475
risc-v: 0.460
mistranslation: 0.444
kernel: 0.408
arm: 0.405
VMM: 0.391
assembly: 0.376
i386: 0.358
debug: 0.357
PID: 0.336
register: 0.334
TCG: 0.329
x86: 0.273
files: 0.241
performance: 0.199
virtual: 0.191
peripherals: 0.162
KVM: 0.160
permissions: 0.158
user-level: 0.089
hypervisor: 0.015
Missing checks for valid, writable, firmware in fw_cfg_write
The `fw_cfg_write` function in the firmware emulation is missing checks to ensure that the firmware being written is (a) a valid index, and (b) writable. This can lead to a segmentation fault and potentially (in the case of writing to FW_CFG_INVALID), memory corruption, although the attacker has fairly limited control over whether and what corruption is possible.
fw_cfg_write() support has been removed since QEMU 2.4, so I think we can treat this as fixed now: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=023e3148567ac898c725813
|
