[Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Anthony PERARD <anthony.perard@citrix.com>
To: qemu-devel@nongnu.org
Cc: xen-devel@lists.xenproject.org,
	Peter Maydell <peter.maydell@linaro.org>,
	Anthony PERARD <anthony.perard@citrix.com>
Subject: [Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much
Date: Thu, 10 Jan 2019 13:48:53 +0000	[thread overview]
Message-ID: <20190110134917.16425-2-anthony.perard@citrix.com> (raw)
In-Reply-To: <20190110134917.16425-1-anthony.perard@citrix.com>

From: Peter Maydell <peter.maydell@linaro.org>

Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
the rom->size field in the BIOS ROM from a PCI passthrough VGA
device, and uses it as an index into the memory which contains
the BIOS image. A corrupt BIOS ROM could therefore cause us to
index off the end of the buffer.

Check that the size is within bounds before we use it.

We are also trusting the pcioffset field, and assuming that
the whole rom_header is present; Coverity doesn't notice these,
but check them too.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
 hw/xen/xen_pt_graphics.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/xen/xen_pt_graphics.c b/hw/xen/xen_pt_graphics.c
index 135c8df1e7..60d6b4a556 100644
--- a/hw/xen/xen_pt_graphics.c
+++ b/hw/xen/xen_pt_graphics.c
@@ -185,8 +185,19 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev,
         return;
     }
 
+    if (bios_size < sizeof(struct rom_header)) {
+        error_setg(errp, "VGA: VBIOS image corrupt (too small)");
+        return;
+    }
+
     /* Currently we fixed this address as a primary. */
     rom = (struct rom_header *)bios;
+
+    if (rom->pcioffset + sizeof(struct pci_data) > bios_size) {
+        error_setg(errp, "VGA: VBIOS image corrupt (bad pcioffset field)");
+        return;
+    }
+
     pd = (void *)(bios + (unsigned char)rom->pcioffset);
 
     /* We may need to fixup Device Identification. */
@@ -194,6 +205,11 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev,
         pd->device = s->real_device.device_id;
 
         len = rom->size * 512;
+        if (len > bios_size) {
+            error_setg(errp, "VGA: VBIOS image corrupt (bad size field)");
+            return;
+        }
+
         /* Then adjust the bios checksum */
         for (c = (char *)bios; c < ((char *)bios + len); c++) {
             checksum += *c;
-- 
Anthony PERARD

next prev parent reply	other threads:[~2019-01-10 13:50 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-10 13:48 [Qemu-devel] [PULL 00/25] xen queue Anthony PERARD
2019-01-10 13:48 ` Anthony PERARD [this message]
2019-01-10 13:48 ` [Qemu-devel] [PULL 02/25] xen/pt: allow passthrough of devices with bogus interrupt pin Anthony PERARD
2019-01-10 13:48 ` [Qemu-devel] [PULL 03/25] xen: re-name XenDevice to XenLegacyDevice Anthony PERARD
2019-01-10 13:48 ` [Qemu-devel] [PULL 04/25] xen: introduce new 'XenBus' and 'XenDevice' object hierarchy Anthony PERARD
2019-01-10 13:48 ` [Qemu-devel] [PULL 05/25] xen: introduce 'xen-block', 'xen-disk' and 'xen-cdrom' Anthony PERARD
2019-01-10 13:48 ` [Qemu-devel] [PULL 06/25] xen: create xenstore areas for XenDevice-s Anthony PERARD
2019-01-10 13:48 ` [Qemu-devel] [PULL 07/25] xen: add xenstore watcher infrastructure Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 08/25] xen: add grant table interface for XenDevice-s Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 09/25] xen: add event channel " Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 10/25] xen: duplicate xen_disk.c as basis of dataplane/xen-block.c Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 11/25] xen: remove unnecessary code from dataplane/xen-block.c Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 12/25] xen: add header and build dataplane/xen-block.c Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 13/25] xen: remove 'XenBlkDev' and 'blkdev' names from dataplane/xen-block Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 14/25] xen: remove 'ioreq' struct/varable/field names from dataplane/xen-block.c Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 15/25] xen: purge 'blk' and 'ioreq' from function names in dataplane/xen-block.c Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 16/25] xen: add implementations of xen-block connect and disconnect functions Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 17/25] xen: add a mechanism to automatically create XenDevice-s Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 18/25] xen: automatically create XenBlockDevice-s Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 19/25] MAINTAINERS: add myself as a Xen maintainer Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 20/25] xen: remove the legacy 'xen_disk' backend Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 21/25] Remove broken Xen PV domain builder Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 22/25] xen: Replace few mentions of xend by libxl Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 23/25] xen-block: improve batching behaviour Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 24/25] xen-block: improve response latency Anthony PERARD
2019-01-10 13:49 ` [Qemu-devel] [PULL 25/25] xen-block: avoid repeated memory allocation Anthony PERARD
2019-01-11 13:35 ` [Qemu-devel] [PULL 00/25] xen queue Peter Maydell
2019-01-11 15:55   ` Anthony PERARD
2019-01-11 16:04     ` Peter Maydell
  -- strict thread matches above, loose matches on Subject: below --
2019-01-14 13:51 [Qemu-devel] [PULL 00/25] Xen queue v2 Anthony PERARD
2019-01-14 13:51 ` [Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much Anthony PERARD

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:135c8df1e dfblob:60d6b4a55 )
 OR (
bs:"[Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190110134917.16425-2-anthony.perard@citrix.com \
    --to=anthony.perard@citrix.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).