Hide Forgot
This bug was initially created as a copy of Bug #1867739 I am copying this bug because: The crash is hit with RHEL-8.3.0 (QEMU 4.2 upstream). It's worth fixing in it in RHEL-8.3.1. Description of problem: `-prom-env` takes raw strings from the command-line and passes them through unvalidated into the NVRAM. It's possible to cause QEMU to abort by passing it malformed input. ``` ppc64-softmmu/qemu-system-ppc64 $(for ((x=0;x<128;x++)); do \ echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \ done) free(): invalid next size (normal) Aborted (core dumped) ``` Version-Release number of selected component (if applicable): Observed upstream as of 5.1-rc4. Expected results: QEMU performs some light validation of either the user's input such that QEMU does not crash. (What the guest does is another story.)
Reproduced the issue with old builds qemu-kvm-4.2.0-34.module+el8.3.0+7976+077be4ec.ppc64le verified the bug with the following build qemu-kvm-4.2.0-35.module+el8.4.0+8453+f5da6c50.ppc64le [root@ibm-p9wr-02 qemu-kvm]# /usr/libexec/qemu-kvm $(for ((x=0;x<128;x++)); do \ > echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \ > done) qemu-kvm: NVRAM is too small. Try to pass less data to -prom-env The original issue has been fixed, there's no coredump anymore, thanks.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1762