From: "Michael S. Tsirkin" <mst@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: "Daniel P . Berrangé" <berrange@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Yi Ren" <c4tren@gmail.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Ren Ding" <rding@gatech.edu>,
pbonzini@redhat.com, "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Hanqing Zhao" <hanqing@gatech.edu>
Subject: Re: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
Date: Thu, 4 Jun 2020 07:49:54 -0400 [thread overview]
Message-ID: <20200604074539-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20200604105524.46158-1-ppandit@redhat.com>
On Thu, Jun 04, 2020 at 04:25:24PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + size' is
> within PCI configuration space.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
BTW, this only happens on unaligned accesses.
And the IO memory region in question does not set valid.unaligned
or .impl.unaligned.
And the documentation says:
- .valid.unaligned specifies that the *device being modelled* supports
unaligned accesses; if false, unaligned accesses will invoke the
appropriate bus or CPU specific behaviour.
and
- .impl.unaligned specifies that the *implementation* supports unaligned
accesses; if false, unaligned accesses will be emulated by two aligned
accesses.
Is this then another case of a memory core bug which should have either
failed the access or split it?
> ---
> hw/display/ati.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Update v3: avoid modifying 'addr' variable
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 67604e68de..b4d0fd88b7 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> val = s->regs.crtc_pitch;
> break;
> case 0xf00 ... 0xfff:
> - val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> + if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
> + val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> + }
> break;
> case CUR_OFFSET:
> val = s->regs.cur_offset;
> --
> 2.26.2
next prev parent reply other threads:[~2020-06-04 11:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 10:55 [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791) P J P
2020-06-04 11:49 ` Michael S. Tsirkin [this message]
2020-06-04 11:56 ` Philippe Mathieu-Daudé
2020-06-04 12:00 ` Michael S. Tsirkin
2020-07-02 7:54 ` Michael Tokarev
2020-07-02 9:36 ` Paolo Bonzini
2020-06-04 12:01 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200604074539-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=berrange@redhat.com \
--cc=c4tren@gmail.com \
--cc=hanqing@gatech.edu \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rding@gatech.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.