File CVE-2018-7550-qemuu-multiboot-OOB-access-while-loading-kernel-image.patch of Package xen.7317

While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
the kernel image. In that, end of the data segment address
'mh_load_end_addr' should be less than the bss segment address
'mh_bss_end_addr'. Add check to validate that.

Reported-by: CERT CC <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/i386/multiboot.c | 4 ++++
 1 file changed, 4 insertions(+)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/i386/multiboot.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/i386/multiboot.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/i386/multiboot.c
@@ -200,7 +200,13 @@ int load_multiboot(FWCfgState *fw_cfg,
         uint32_t mh_header_addr = ldl_p(header+i+12);
         uint32_t mh_load_end_addr = ldl_p(header+i+20);
         uint32_t mh_bss_end_addr = ldl_p(header+i+24);
+
         mh_load_addr = ldl_p(header+i+16);
+        if (mh_load_end_addr > mh_bss_end_addr) {
+            fprintf(stderr, "invalid mh_load_end_addr address\n");
+            exit(1);
+        }
+
         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
         uint32_t mb_load_size = 0;
         mh_entry_addr = ldl_p(header+i+28);