From: "Michael S. Tsirkin" <mst@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: qemu-ppc@nongnu.org, agraf@suse.de, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 3/9] pci: Make bounds checks on config space accesses actually work
Date: Thu, 12 Jan 2012 15:32:32 +0200 [thread overview]
Message-ID: <20120112133231.GB16328@redhat.com> (raw)
In-Reply-To: <1326347188-12119-4-git-send-email-david@gibson.dropbear.id.au>
On Thu, Jan 12, 2012 at 04:46:22PM +1100, David Gibson wrote:
> The pci_host_config_{read,write}_common() functions perform PCI config
> accesses. They take a limit parameter which they appear to be supposed
> to bounds check against, however the bounds checking logic, such as it is,
> is completely broken.
>
> Currently, it takes the minimum of the supplied length and the remaining
> space in the region and passes that as the length to the underlying
> config_{read,write} function pointer. This means that accesses which
> partially overrun the region will be silently truncated - which makes
> little sense.
Why does it make little sense? Makes sense to me.
> Accesses which entirely overrun the region will *not*
> be blocked (an exploitable bug)
>, because in that case (limit - addr) will
> be negative and so the unsigned MIN will always return len instead. Even
> if signed arithmetic was used, the config_{read,write} callback wouldn't
> know what to do with a negative len parameter.
The assumption was callers never pass in such values.
Could you please give an example how this exploitable bug
can get triggered?
>
> This patch handles things more sanely by simply ignoring writes which
> overrun, and returning -1 for reads, which is the usual hardware convention
> for reads to unpopulated IO regions.
>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> hw/pci_host.c | 10 ++++++++--
> 1 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/hw/pci_host.c b/hw/pci_host.c
> index 44c6c20..16b3ac3 100644
> --- a/hw/pci_host.c
> +++ b/hw/pci_host.c
> @@ -51,14 +51,20 @@ void pci_host_config_write_common(PCIDevice *pci_dev, uint32_t addr,
> uint32_t limit, uint32_t val, uint32_t len)
> {
> assert(len <= 4);
> - pci_dev->config_write(pci_dev, addr, val, MIN(len, limit - addr));
> + if ((addr + len) <= limit) {
> + pci_dev->config_write(pci_dev, addr, val, len);
> + }
> }
>
> uint32_t pci_host_config_read_common(PCIDevice *pci_dev, uint32_t addr,
> uint32_t limit, uint32_t len)
> {
> assert(len <= 4);
> - return pci_dev->config_read(pci_dev, addr, MIN(len, limit - addr));
> + if ((addr + len) <= limit) {
> + return pci_dev->config_read(pci_dev, addr, len);
> + } else {
> + return ~0x0;
> + }
> }
>
> void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
> --
> 1.7.7.3
>
next prev parent reply other threads:[~2012-01-12 13:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-12 5:46 [Qemu-devel] [0/9] Bugfixes and pseries enhancements David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 1/9] load_image_targphys() should enforce the max size David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 2/9] Fix dirty logging with 32-bit qemu & 64-bit guests David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 3/9] pci: Make bounds checks on config space accesses actually work David Gibson
2012-01-12 13:19 ` Alexander Graf
2012-01-12 13:33 ` Michael S. Tsirkin
2012-01-12 13:32 ` Michael S. Tsirkin [this message]
2012-01-13 0:26 ` [Qemu-devel] [Qemu-ppc] " David Gibson
2012-01-13 1:23 ` Michael S. Tsirkin
2012-01-13 1:44 ` David Gibson
2012-01-16 11:24 ` Alexander Graf
2012-01-12 5:46 ` [Qemu-devel] [PATCH 4/9] Update gitignore file David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 5/9] Correct types in bmdma_addr_{read,write} David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 6/9] pseries: Support PCI extended config space in RTAS calls David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 7/9] pseries: Use correct dispatcher for PCI config space accesses David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 8/9] pseries: Don't try to munmap() a malloc()ed TCE table David Gibson
2012-01-12 5:46 ` [Qemu-devel] [PATCH 9/9] pseries: SLOF PCI flag day David Gibson
2012-01-13 14:15 ` [Qemu-devel] [0/9] Bugfixes and pseries enhancements Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120112133231.GB16328@redhat.com \
--to=mst@redhat.com \
--cc=agraf@suse.de \
--cc=david@gibson.dropbear.id.au \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.