Missing checks for non-existent device in ide_exec_cmd

Bug #786208 reported by Nelson Elhage on 2011-05-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
John Snow

Bug Description

Several calls in the ide_exec_cmd handler are missing checks for (!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-zero, or possibly other badness if the guest performs operations on a non-existent IDE master.

For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s, s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads * s->sectors);', which will fail with a divide-by-zero if heads = sectors = 0.

And WIN_MULTREAD also does not check for s->bs, but does a 'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num, s->io_buffer, n);' on a NULL s->bs, leading to a segfault.

I do not *believe* that a malicious guest can do anything more than cause a crash with these bugs.

John Snow (jnsnow) on 2016-08-31
Changed in qemu:
assignee: nobody → John Snow (jnsnow)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers