QEMU

Missing checks for valid, writable, firmware in fw_cfg_write

Bug #786211 reported by Nelson Elhage on 2011-05-21

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

The `fw_cfg_write` function in the firmware emulation is missing checks to ensure that the firmware being written is (a) a valid index, and (b) writable. This can lead to a segmentation fault and potentially (in the case of writing to FW_CFG_INVALID), memory corruption, although the attacker has fairly limited control over whether and what corruption is possible.

Revision history for this message

Nelson Elhage (nelhage) wrote on 2011-05-21:

#1

0001-fw_cfg-Disallow-writes-to-non-writable-firmware-entr.patch Edit (1.1 KiB, text/plain)

visibility:

private → public

Revision history for this message

Thomas Huth (th-huth) wrote on 2016-10-18:

#2

fw_cfg_write() support has been removed since QEMU 2.4, so I think we can treat this as fixed now: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=023e3148567ac898c725813

Changed in qemu:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

0001-fw_cfg-Disallow-writes-to-non-writable-firmware-entr.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.