[Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM
@ 2013-09-30 10:35 Jan Kiszka
  2013-09-30 10:51 ` Michael S. Tsirkin
  2013-10-04 10:18 ` Gleb Natapov
  0 siblings, 2 replies; 3+ messages in thread
From: Jan Kiszka @ 2013-09-30 10:35 UTC (permalink / raw)
  To: Gleb Natapov, Paolo Bonzini; +Cc: qemu-devel, kvm, Michael S. Tsirkin

rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
writen 16-bit value) and can be influenced to point beyond the end of
the host memory backing the guest's RAM. Make sure we do not use this
pointer to actually read beyond the limits.

Reading arbitrary guest bytes is harmless, the guest kernel has to
manage access to this I/O port anyway.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 hw/i386/kvmvapic.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index 1c2dbf5..2d87600 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
     section = memory_region_find(as, 0, 1);
 
     /* read ROM size from RAM region */
+    if (rom_paddr + 2 >= memory_region_size(section.mr)) {
+        return -1;
+    }
     ram = memory_region_get_ram_ptr(section.mr);
     rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
     if (rom_size == 0) {
-- 
1.8.1.1.298.ge7eed54

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM
  2013-09-30 10:35 [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM Jan Kiszka
@ 2013-09-30 10:51 ` Michael S. Tsirkin
  2013-10-04 10:18 ` Gleb Natapov
  1 sibling, 0 replies; 3+ messages in thread
From: Michael S. Tsirkin @ 2013-09-30 10:51 UTC (permalink / raw)
  To: Jan Kiszka; +Cc: Paolo Bonzini, qemu-devel, Gleb Natapov, kvm

On Mon, Sep 30, 2013 at 12:35:13PM +0200, Jan Kiszka wrote:
> rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
> writen 16-bit value) and can be influenced to point beyond the end of
> the host memory backing the guest's RAM. Make sure we do not use this
> pointer to actually read beyond the limits.
> 
> Reading arbitrary guest bytes is harmless, the guest kernel has to
> manage access to this I/O port anyway.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

Acked-by: Michael S. Tsirkin <mst@redhat.com>

> ---
>  hw/i386/kvmvapic.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
> index 1c2dbf5..2d87600 100644
> --- a/hw/i386/kvmvapic.c
> +++ b/hw/i386/kvmvapic.c
> @@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
>      section = memory_region_find(as, 0, 1);
>  
>      /* read ROM size from RAM region */
> +    if (rom_paddr + 2 >= memory_region_size(section.mr)) {
> +        return -1;
> +    }
>      ram = memory_region_get_ram_ptr(section.mr);
>      rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
>      if (rom_size == 0) {
> -- 
> 1.8.1.1.298.ge7eed54

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM
  2013-09-30 10:35 [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM Jan Kiszka
  2013-09-30 10:51 ` Michael S. Tsirkin
@ 2013-10-04 10:18 ` Gleb Natapov
  1 sibling, 0 replies; 3+ messages in thread
From: Gleb Natapov @ 2013-10-04 10:18 UTC (permalink / raw)
  To: Jan Kiszka; +Cc: Paolo Bonzini, qemu-devel, kvm, Michael S. Tsirkin

On Mon, Sep 30, 2013 at 12:35:13PM +0200, Jan Kiszka wrote:
> rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) +
> writen 16-bit value) and can be influenced to point beyond the end of
> the host memory backing the guest's RAM. Make sure we do not use this
> pointer to actually read beyond the limits.
> 
> Reading arbitrary guest bytes is harmless, the guest kernel has to
> manage access to this I/O port anyway.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Applied, thanks.

> ---
>  hw/i386/kvmvapic.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
> index 1c2dbf5..2d87600 100644
> --- a/hw/i386/kvmvapic.c
> +++ b/hw/i386/kvmvapic.c
> @@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s)
>      section = memory_region_find(as, 0, 1);
>  
>      /* read ROM size from RAM region */
> +    if (rom_paddr + 2 >= memory_region_size(section.mr)) {
> +        return -1;
> +    }
>      ram = memory_region_get_ram_ptr(section.mr);
>      rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
>      if (rom_size == 0) {
> -- 
> 1.8.1.1.298.ge7eed54

--
			Gleb.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-10-04 10:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-30 10:35 [Qemu-devel] [PATCH uq/master] kvmvapic: Prevent reading beyond the end of guest RAM Jan Kiszka
2013-09-30 10:51 ` Michael S. Tsirkin
2013-10-04 10:18 ` Gleb Natapov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).