From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50684)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VQb2W-0004PZ-JQ
	for qemu-devel@nongnu.org; Mon, 30 Sep 2013 06:49:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VQb2R-0000t2-RP
	for qemu-devel@nongnu.org; Mon, 30 Sep 2013 06:49:20 -0400
Received: from mx1.redhat.com ([209.132.183.28]:22913)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VQb2R-0000sr-Jc
	for qemu-devel@nongnu.org; Mon, 30 Sep 2013 06:49:15 -0400
Date: Mon, 30 Sep 2013 13:51:36 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20130930105136.GE20445@redhat.com>
References: <524953E1.6000105@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <524953E1.6000105@siemens.com>
Subject: Re: [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond
 the end of guest RAM
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel <qemu-devel@nongnu.org>, Gleb Natapov <gleb@redhat.com>, kvm <kvm@vger.kernel.org>

On Mon, Sep 30, 2013 at 12:35:13PM +0200, Jan Kiszka wrote:
> rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
> writen 16-bit value) and can be influenced to point beyond the end of
> the host memory backing the guest's RAM. Make sure we do not use this
> pointer to actually read beyond the limits.
> 
> Reading arbitrary guest bytes is harmless, the guest kernel has to
> manage access to this I/O port anyway.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

Acked-by: Michael S. Tsirkin <mst@redhat.com>

> ---
>  hw/i386/kvmvapic.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
> index 1c2dbf5..2d87600 100644
> --- a/hw/i386/kvmvapic.c
> +++ b/hw/i386/kvmvapic.c
> @@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
>      section = memory_region_find(as, 0, 1);
>  
>      /* read ROM size from RAM region */
> +    if (rom_paddr + 2 >= memory_region_size(section.mr)) {
> +        return -1;
> +    }
>      ram = memory_region_get_ram_ptr(section.mr);
>      rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
>      if (rom_size == 0) {
> -- 
> 1.8.1.1.298.ge7eed54