From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Yi Ren" <c4tren@gmail.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Ren Ding" <rding@gatech.edu>,
pbonzini@redhat.com, "P J P" <ppandit@redhat.com>,
"Hanqing Zhao" <hanqing@gatech.edu>
Subject: Re: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
Date: Thu, 4 Jun 2020 08:00:50 -0400 [thread overview]
Message-ID: <20200604075931-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <88d6e41e-c486-4a35-af43-84018491071f@redhat.com>
On Thu, Jun 04, 2020 at 01:56:45PM +0200, Philippe Mathieu-Daudé wrote:
> On 6/4/20 1:49 PM, Michael S. Tsirkin wrote:
> > On Thu, Jun 04, 2020 at 04:25:24PM +0530, P J P wrote:
> >> From: Prasad J Pandit <pjp@fedoraproject.org>
> >>
> >> While reading PCI configuration bytes, a guest may send an
> >> address towards the end of the configuration space. It may lead
> >> to an OOB access issue. Add check to ensure 'address + size' is
> >> within PCI configuration space.
> >>
> >> Reported-by: Ren Ding <rding@gatech.edu>
> >> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> >> Reported-by: Yi Ren <c4tren@gmail.com>
> >> Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> >
> > BTW, this only happens on unaligned accesses.
> > And the IO memory region in question does not set valid.unaligned
> > or .impl.unaligned.
> >
> > And the documentation says:
> >
> > - .valid.unaligned specifies that the *device being modelled* supports
> > unaligned accesses; if false, unaligned accesses will invoke the
> > appropriate bus or CPU specific behaviour.
> >
> > and
> >
> > - .impl.unaligned specifies that the *implementation* supports unaligned
> > accesses; if false, unaligned accesses will be emulated by two aligned
> > accesses.
> >
> > Is this then another case of a memory core bug which should have either
> > failed the access or split it?
>
> Related:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg695362.html
> earlier comment:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg694805.html
Yea looks like more devices following documentation and memory core
doing something else instead.
> >
> >> ---
> >> hw/display/ati.c | 4 +++-
> >> 1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> Update v3: avoid modifying 'addr' variable
> >> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
> >>
> >> diff --git a/hw/display/ati.c b/hw/display/ati.c
> >> index 67604e68de..b4d0fd88b7 100644
> >> --- a/hw/display/ati.c
> >> +++ b/hw/display/ati.c
> >> @@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> >> val = s->regs.crtc_pitch;
> >> break;
> >> case 0xf00 ... 0xfff:
> >> - val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> >> + if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
> >> + val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> >> + }
> >> break;
> >> case CUR_OFFSET:
> >> val = s->regs.cur_offset;
> >> --
> >> 2.26.2
> >
next prev parent reply other threads:[~2020-06-04 12:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 10:55 [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791) P J P
2020-06-04 11:49 ` Michael S. Tsirkin
2020-06-04 11:56 ` Philippe Mathieu-Daudé
2020-06-04 12:00 ` Michael S. Tsirkin [this message]
2020-07-02 7:54 ` Michael Tokarev
2020-07-02 9:36 ` Paolo Bonzini
2020-06-04 12:01 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200604075931-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=berrange@redhat.com \
--cc=c4tren@gmail.com \
--cc=hanqing@gatech.edu \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rding@gatech.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.