[Qemu-devel] [PULL 25/50] multiboot: validate multiboot header address values

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Subject: [Qemu-devel] [PULL 25/50] multiboot: validate multiboot header address values
Date: Tue, 19 Sep 2017 14:29:14 +0200	[thread overview]
Message-ID: <1505824179-21541-26-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1505824179-21541-1-git-send-email-pbonzini@redhat.com>

From: Prasad J Pandit <pjp@fedoraproject.org>

While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
the kernel image. These addresses are used to compute kernel
size and kernel text offset in the OS image. Validate these
address values to avoid an OOB access issue.

This is CVE-2017-14167.

Reported-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170907063256.7418-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/i386/multiboot.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index 6001f4c..c7b70c9 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
         uint32_t mh_header_addr = ldl_p(header+i+12);
         uint32_t mh_load_end_addr = ldl_p(header+i+20);
         uint32_t mh_bss_end_addr = ldl_p(header+i+24);
+
         mh_load_addr = ldl_p(header+i+16);
+        if (mh_header_addr < mh_load_addr) {
+            fprintf(stderr, "invalid mh_load_addr address\n");
+            exit(1);
+        }
+
         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
         uint32_t mb_load_size = 0;
         mh_entry_addr = ldl_p(header+i+28);
 
         if (mh_load_end_addr) {
+            if (mh_bss_end_addr < mh_load_addr) {
+                fprintf(stderr, "invalid mh_bss_end_addr address\n");
+                exit(1);
+            }
             mb_kernel_size = mh_bss_end_addr - mh_load_addr;
+
+            if (mh_load_end_addr < mh_load_addr) {
+                fprintf(stderr, "invalid mh_load_end_addr address\n");
+                exit(1);
+            }
             mb_load_size = mh_load_end_addr - mh_load_addr;
         } else {
+            if (kernel_file_size < mb_kernel_text_offset) {
+                fprintf(stderr, "invalid kernel_file_size\n");
+                exit(1);
+            }
             mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
             mb_load_size = mb_kernel_size;
         }
-- 
1.8.3.1

next prev parent reply	other threads:[~2017-09-19 12:30 UTC|newest]

Thread overview: 59+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-19 12:28 [Qemu-devel] [PULL 00/50] Misc patches for 2017-09-19 Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 01/50] target/i386: fix pmovsx/pmovzx in-place operations Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 02/50] target/i386: set rip_offset for further SSE instructions Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 03/50] target/i386: fix packusdw in-place operation Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 04/50] target/i386: fix pcmpxstrx substring search Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 05/50] target/i386: fix phminposuw in-place operation Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 06/50] virtio-scsi: Add virtqueue_size parameter allowing virtqueue size to be set Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 07/50] scsi-bus: correct responses for INQUIRY and REQUEST SENSE Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 08/50] scsi: Refactor scsi sense interpreting code Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 09/50] scsi: Improve scsi_sense_to_errno Paolo Bonzini
2017-09-19 12:28 ` [Qemu-devel] [PULL 10/50] scsi: Introduce scsi_sense_buf_to_errno Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 11/50] scsi-block: Support rerror/werror Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 12/50] scsi: rename scsi_build_sense to scsi_convert_sense Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 13/50] scsi: move non-emulation specific code to scsi/ Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 14/50] scsi: introduce scsi_build_sense Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 15/50] scsi: introduce sg_io_sense_from_errno Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 16/50] scsi: move block/scsi.h to include/scsi/constants.h Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 17/50] MAINTAINERS: update mail address for NVDIMM Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 18/50] i386/kvm: use a switch statement for MSR detection Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 19/50] i386/kvm: set tsc_khz before configuring Hyper-V CPUID Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 20/50] i386/kvm: introduce tsc_is_stable_and_known() Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 21/50] i386/kvm: advertise Hyper-V frequency MSRs Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 22/50] MAINTAINERS: update email, add missing test entry for megasas Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 23/50] memory: Rename queue to mrqueue (memory region queue) Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 24/50] scsi/esp: Rename the ESP macro to ESP_STATE Paolo Bonzini
2017-09-19 12:29 ` Paolo Bonzini [this message]
2017-09-19 12:29 ` [Qemu-devel] [PULL 26/50] kvm: require JOIN_MEMORY_REGIONS_WORKS Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 27/50] kvm: factor out alignment of memory section Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 28/50] kvm: use start + size for memory ranges Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 29/50] kvm: we never have overlapping slots in kvm_set_phys_mem() Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 30/50] kvm: kvm_log_start/stop are only called with known sections Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 31/50] kvm: kvm_log_sync() is only called with known memory sections Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 32/50] test-qga: add missing qemu-ga tool dependency Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 33/50] hw/i386: Improve some of the warning messages Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 34/50] Convert remaining error_report() to warn_report() Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 35/50] Convert single line fprintf(.../n) " Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 36/50] Convert multi-line fprintf() " Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 37/50] General warn report fixups Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 38/50] target/mips: Convert VM clock update prints to warn_report Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 39/50] Makefile: Remove libqemustub.a Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 40/50] Convert remaining single line fprintf() to warn_report() Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 41/50] i386/cpu/hyperv: support over 64 vcpus for windows guests Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 42/50] hyperv: add header with protocol definitions Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 43/50] update-linux-headers: prepare for hyperv.h removal Paolo Bonzini
2017-09-19 12:36   ` Roman Kagan
2017-09-19 12:45     ` Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 44/50] scripts: let checkpatch.pl process an entire GIT branch Paolo Bonzini
2017-10-03 22:07   ` Alex Williamson
2017-10-04  8:33     ` Daniel P. Berrange
2017-10-04 13:17       ` Alex Williamson
2017-10-04 14:11         ` Paolo Bonzini
2017-10-04 14:20           ` Daniel P. Berrange
2017-10-04 16:16           ` Alex Williamson
2017-09-19 12:29 ` [Qemu-devel] [PULL 45/50] target/i386: fix "info mem" for LA57 mode Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 46/50] accel/hax: move hax-stub.c to accel/stubs/ Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 47/50] checkpatch: add hwaddr to @typeList Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 48/50] osdep.h: Prohibit disabling assert() in supported builds Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 49/50] default-configs: Replace $(and ...) with $(call land, ...) Paolo Bonzini
2017-09-19 12:29 ` [Qemu-devel] [PULL 50/50] docker: fix creation of archives Paolo Bonzini

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6001f4c dfblob:c7b70c9 )
 OR (
bs:"[Qemu-devel] [PULL 25/50] multiboot: validate multiboot header address values" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1505824179-21541-26-git-send-email-pbonzini@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=pjp@fedoraproject.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).