[Qemu-devel] [PULL 1/5] xen: fix ioreq handling

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Stefano Stabellini <sstabellini@kernel.org>
To: stefanha@gmail.com
Cc: stefanha@redhat.com, peter.maydell@linaro.org,
	sstabellini@kernel.org, anthony.perard@citrix.com,
	xen-devel@lists.xenproject.org, qemu-devel@nongnu.org,
	Jan Beulich <JBeulich@suse.com>, Jan Beulich <jbeulich@suse.com>
Subject: [Qemu-devel] [PULL 1/5] xen: fix ioreq handling
Date: Tue, 22 Nov 2016 10:46:05 -0800	[thread overview]
Message-ID: <1479840369-19503-1-git-send-email-sstabellini@kernel.org> (raw)
In-Reply-To: <alpine.DEB.2.10.1611221037010.21858@sstabellini-ThinkPad-X260>

From: Jan Beulich <JBeulich@suse.com>

Avoid double fetches and bounds check size to avoid overflowing
internal variables.

This is CVE-2016-9381 / XSA-197.

Reported-by: yanghongke <yanghongke@huawei.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
---
 xen-hvm.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/xen-hvm.c b/xen-hvm.c
index 150c7e7..99b8ee8 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req)
     trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr,
                          req->data, req->count, req->size);
 
+    if (req->size > sizeof(uint32_t)) {
+        hw_error("PIO: bad size (%u)", req->size);
+    }
+
     if (req->dir == IOREQ_READ) {
         if (!req->data_is_ptr) {
             req->data = do_inp(req->addr, req->size);
@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req)
     trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr,
                          req->data, req->count, req->size);
 
+    if (req->size > sizeof(req->data)) {
+        hw_error("MMIO: bad size (%u)", req->size);
+    }
+
     if (!req->data_is_ptr) {
         if (req->dir == IOREQ_READ) {
             for (i = 0; i < req->count; i++) {
@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOState *state)
         req.df = 1;
         req.type = buf_req->type;
         req.data_is_ptr = 0;
+        xen_rmb();
         qw = (req.size == 8);
         if (qw) {
             buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
                                            IOREQ_BUFFER_SLOT_NUM];
             req.data |= ((uint64_t)buf_req->data) << 32;
+            xen_rmb();
         }
 
         handle_ioreq(state, &req);
@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaque)
 
     handle_buffered_iopage(state);
     if (req) {
-        handle_ioreq(state, req);
+        ioreq_t copy = *req;
+
+        xen_rmb();
+        handle_ioreq(state, &copy);
+        req->data = copy.data;
 
         if (req->state != STATE_IOREQ_INPROCESS) {
             fprintf(stderr, "Badness in I/O request ... not in service?!: "
-- 
1.9.1

next prev parent reply	other threads:[~2016-11-22 18:46 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-22 18:45 [Qemu-devel] [PULL 0/5] xen-20161122-tag Stefano Stabellini
2016-11-22 18:46 ` Stefano Stabellini [this message]
2016-11-22 18:46   ` [Qemu-devel] [PULL 2/5] xen: add an own bus for xen backend devices Stefano Stabellini
2016-11-22 18:46   ` [Qemu-devel] [PULL 3/5] qdev: add function qdev_set_id() Stefano Stabellini
2016-11-22 18:46   ` [Qemu-devel] [PULL 4/5] xen: create qdev for each backend device Stefano Stabellini
2016-11-22 18:46   ` [Qemu-devel] [PULL 5/5] xen: attach pvusb usb bus to backend qdev Stefano Stabellini
2016-11-22 19:31 ` [Qemu-devel] [PULL 0/5] xen-20161122-tag Stefan Hajnoczi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:150c7e7 dfblob:99b8ee8 )
 OR (
bs:"[Qemu-devel] [PULL 1/5] xen: fix ioreq handling" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1479840369-19503-1-git-send-email-sstabellini@kernel.org \
    --to=sstabellini@kernel.org \
    --cc=JBeulich@suse.com \
    --cc=anthony.perard@citrix.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    --cc=stefanha@redhat.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).