Bug 1874780 - -prom-env does not validate input
Summary: -prom-env does not validate input
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: qemu-kvm
Version: 8.3
Hardware: ppc64
OS: All
Target Milestone: rc
: 8.4
Assignee: Greg Kurz
QA Contact: Min Deng
Depends On:
TreeView+ depends on / blocked
Reported: 2020-09-02 08:24 UTC by Greg Kurz
Modified: 2022-04-27 05:56 UTC (History)
4 users (show)

Fixed In Version: qemu-kvm-4.2.0-35.module+el8.4.0+8453+f5da6c50
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-05-18 15:21:44 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Greg Kurz 2020-09-02 08:24:04 UTC
This bug was initially created as a copy of Bug #1867739

I am copying this bug because: 

The crash is hit with RHEL-8.3.0 (QEMU 4.2 upstream). It's worth fixing in it in RHEL-8.3.1.

Description of problem:

`-prom-env` takes raw strings from the command-line and passes them through unvalidated into the NVRAM. It's possible to cause QEMU to abort by passing it malformed input.

ppc64-softmmu/qemu-system-ppc64 $(for ((x=0;x<128;x++)); do \
 echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \
free(): invalid next size (normal)
Aborted (core dumped)

Version-Release number of selected component (if applicable):

Observed upstream as of 5.1-rc4.

Expected results: QEMU performs some light validation of either the user's input such that QEMU does not crash. (What the guest does is another story.)

Comment 7 Min Deng 2020-10-26 05:57:27 UTC
Reproduced the issue with old builds
verified the bug with the following build

[root@ibm-p9wr-02 qemu-kvm]# /usr/libexec/qemu-kvm $(for ((x=0;x<128;x++)); do \
>  echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \
> done)
qemu-kvm: NVRAM is too small. Try to pass less data to -prom-env

The original issue has been fixed, there's no coredump anymore, thanks.

Comment 11 errata-xmlrpc 2021-05-18 15:21:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.