From: "Michael S. Tsirkin" <mst@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: "Daniel P . Berrangé" <berrange@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Yi Ren" <c4tren@gmail.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Ren Ding" <rding@gatech.edu>,
pbonzini@redhat.com, "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Hanqing Zhao" <hanqing@gatech.edu>
Subject: Re: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
Date: Thu, 4 Jun 2020 07:49:54 -0400 [thread overview]
Message-ID: <20200604074539-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20200604105524.46158-1-ppandit@redhat.com>
On Thu, Jun 04, 2020 at 04:25:24PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + size' is
> within PCI configuration space.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
BTW, this only happens on unaligned accesses.
And the IO memory region in question does not set valid.unaligned
or .impl.unaligned.
And the documentation says:
- .valid.unaligned specifies that the *device being modelled* supports
unaligned accesses; if false, unaligned accesses will invoke the
appropriate bus or CPU specific behaviour.
and
- .impl.unaligned specifies that the *implementation* supports unaligned
accesses; if false, unaligned accesses will be emulated by two aligned
accesses.
Is this then another case of a memory core bug which should have either
failed the access or split it?
> ---
> hw/display/ati.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Update v3: avoid modifying 'addr' variable
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 67604e68de..b4d0fd88b7 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> val = s->regs.crtc_pitch;
> break;
> case 0xf00 ... 0xfff:
> - val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> + if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
> + val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> + }
> break;
> case CUR_OFFSET:
> val = s->regs.cur_offset;
> --
> 2.26.2
next prev parent reply other threads:[~2020-06-04 11:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 10:55 [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791) P J P
2020-06-04 11:49 ` Michael S. Tsirkin [this message]
2020-06-04 11:56 ` Philippe Mathieu-Daudé
2020-06-04 12:00 ` Michael S. Tsirkin
2020-07-02 7:54 ` Michael Tokarev
2020-07-02 9:36 ` Paolo Bonzini
2020-06-04 12:01 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200604074539-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=berrange@redhat.com \
--cc=c4tren@gmail.com \
--cc=hanqing@gatech.edu \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rding@gatech.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).