From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Stefan Hajnoczi" <stefanha@redhat.com>,
"Alex Williamson" <alex.williamson@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: [Qemu-devel] [PULL 1/6] display: ensure qxl log_buf is a nul terminated string
Date: Wed, 30 Jan 2019 11:18:12 +0800 [thread overview]
Message-ID: <20190130031817.27780-2-stefanha@redhat.com> (raw)
In-Reply-To: <20190130031817.27780-1-stefanha@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com>
The QXL_IO_LOG command allows the guest to send log messages to the host
via a buffer in the QXLRam struct. QEMU prints these to the console if
the qxl 'guestdebug' option is set to non-zero. It will also feed them
to the trace subsystem if any backends are built-in.
In both cases the log_buf data will get treated as being as a nul
terminated string, by the printf '%s' format specifier and / or other
code reading the buffer.
QEMU does nothing to guarantee that the log_buf really is nul terminated,
so there is potential for out of bounds array access.
This would affect any QEMU which has the log, syslog or ftrace trace
backends built into QEMU. It can only be triggered if the 'qxl_io_log'
trace event is enabled, however, so they are not vulnerable without
specific administrative action to enable this.
It would also affect QEMU if the 'guestdebug' parameter is set to a
non-zero value, which again is not the default and requires explicit
admin opt-in.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20190123120016.4538-2-berrange@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/display/qxl.c | 14 ++++++++++----
hw/display/trace-events | 2 +-
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 8e9a65e75b..da8fd5a40a 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1763,10 +1763,16 @@ async_common:
qxl_set_mode(d, val, 0);
break;
case QXL_IO_LOG:
- trace_qxl_io_log(d->id, d->ram->log_buf);
- if (d->guestdebug) {
- fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id,
- qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), d->ram->log_buf);
+ if (TRACE_QXL_IO_LOG_ENABLED || d->guestdebug) {
+ /* We cannot trust the guest to NUL terminate d->ram->log_buf */
+ char *log_buf = g_strndup((const char *)d->ram->log_buf,
+ sizeof(d->ram->log_buf));
+ trace_qxl_io_log(d->id, log_buf);
+ if (d->guestdebug) {
+ fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id,
+ qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), log_buf);
+ }
+ g_free(log_buf);
}
break;
case QXL_IO_RESET:
diff --git a/hw/display/trace-events b/hw/display/trace-events
index 5a48c6cb6a..387c6b8931 100644
--- a/hw/display/trace-events
+++ b/hw/display/trace-events
@@ -72,7 +72,7 @@ qxl_interface_update_area_complete_rest(int qid, uint32_t num_updated_rects) "%d
qxl_interface_update_area_complete_overflow(int qid, int max) "%d max=%d"
qxl_interface_update_area_complete_schedule_bh(int qid, uint32_t num_dirty) "%d #dirty=%d"
qxl_io_destroy_primary_ignored(int qid, const char *mode) "%d %s"
-qxl_io_log(int qid, const uint8_t *log_buf) "%d %s"
+qxl_io_log(int qid, const char *log_buf) "%d %s"
qxl_io_read_unexpected(int qid) "%d"
qxl_io_unexpected_vga_mode(int qid, uint64_t addr, uint64_t val, const char *desc) "%d 0x%"PRIx64"=%"PRIu64" (%s)"
qxl_io_write(int qid, const char *mode, uint64_t addr, const char *aname, uint64_t val, unsigned size, int async) "%d %s addr=%"PRIu64 " (%s) val=%"PRIu64" size=%u async=%d"
--
2.20.1
next prev parent reply other threads:[~2019-01-30 3:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-30 3:18 [Qemu-devel] [PULL 0/6] Tracing patches Stefan Hajnoczi
2019-01-30 3:18 ` Stefan Hajnoczi [this message]
2019-01-30 3:18 ` [Qemu-devel] [PULL 2/6] trace: enforce that every trace-events file has a final newline Stefan Hajnoczi
2019-01-30 3:18 ` [Qemu-devel] [PULL 3/6] trace: forbid use of %m in trace event format strings Stefan Hajnoczi
2019-01-30 3:18 ` [Qemu-devel] [PULL 4/6] trace: add ability to do simple printf logging via systemtap Stefan Hajnoczi
2019-01-30 3:18 ` [Qemu-devel] [PULL 5/6] trace: improve runstate tracing Stefan Hajnoczi
2019-01-30 3:18 ` [Qemu-devel] [PULL 6/6] trace: rerun tracetool after ./configure changes Stefan Hajnoczi
2019-01-31 12:52 ` [Qemu-devel] [PULL 0/6] Tracing patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130031817.27780-2-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).