Skip to content

Commit

Permalink
dm: fix possible buffer overflow in 'acrn_load_elf()'
Browse files Browse the repository at this point in the history 
  Will attempt to access element 2048..2049 of
  array "ptr32" if below conditions are both true:
  1) ptr32[i] == MULTIBOOT_HEAD_MAGIC
  2) (i == (ELF_BUF_LEN/4) - 1)

Tracked-On: #1252
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Fengwei Yin <fengwei.yin@intel.com>
  • Loading branch information
@yonghuah @NanlinXie
yonghuah authored and NanlinXie committed Oct 27, 2018
1 parent dc7df1c commit 8860af3
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion devicemodel/core/sw_load_elf.c
View file
Expand Up @@ -194,7 +194,7 @@ acrn_load_elf(struct vmctx *ctx, char *elf_file_name, unsigned long *entry,
* info prepared.
*/
ptr32 = (unsigned int *) elf_buf;
for (i = 0; i < ELF_BUF_LEN/4; i++) {
for (i = 0; i <= ((ELF_BUF_LEN/4) - 3); i++) {
if (ptr32[i] == MULTIBOOT_HEAD_MAGIC) {
int j = 0;
unsigned int sum = 0;
Expand Down

0 comments on commit 8860af3

Please sign in to comment.