From: "Daniel P. Berrangé" <berrange@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Prasad J Pandit <pjp@fedoraproject.org>,
"Michael S . Tsirkin" <mst@redhat.com>, Yi Ren <c4tren@gmail.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Ren Ding <rding@gatech.edu>, Hanqing Zhao <hanqing@gatech.edu>
Subject: Re: [PATCH] pci: check address before reading configuration bytes
Date: Wed, 3 Jun 2020 13:51:58 +0100 [thread overview]
Message-ID: <20200603125158.GG2892653@redhat.com> (raw)
In-Reply-To: <20200603124041.1137464-1-ppandit@redhat.com>
On Wed, Jun 03, 2020 at 06:10:41PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + len' is
> within PCI configuration space.
A malicious guest triggering an OOB access in the host QEMU
sounds like a significant security flaw. Do we have a CVE
assigned for this ?
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/pci/pci.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 70c66965f5..4429fa9401 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
> ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
> pcie_sync_bridge_lnk(d);
> }
> - memcpy(&val, d->config + address, len);
> + if (address + len <= pci_config_size(d)) {
> + memcpy(&val, d->config + address, len);
> + }
> return le32_to_cpu(val);
> }
>
> --
> 2.26.2
>
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-06-03 12:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 12:40 [PATCH] pci: check address before reading configuration bytes P J P
2020-06-03 12:51 ` Daniel P. Berrangé [this message]
2020-06-03 12:52 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200603125158.GG2892653@redhat.com \
--to=berrange@redhat.com \
--cc=c4tren@gmail.com \
--cc=hanqing@gatech.edu \
--cc=mst@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rding@gatech.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).