Re: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
	"Prasad J Pandit" <pjp@fedoraproject.org>,
	"Yi Ren" <c4tren@gmail.com>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"Ren Ding" <rding@gatech.edu>,
	pbonzini@redhat.com, "P J P" <ppandit@redhat.com>,
	"Hanqing Zhao" <hanqing@gatech.edu>
Subject: Re: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
Date: Thu, 4 Jun 2020 08:00:50 -0400	[thread overview]
Message-ID: <20200604075931-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <88d6e41e-c486-4a35-af43-84018491071f@redhat.com>

On Thu, Jun 04, 2020 at 01:56:45PM +0200, Philippe Mathieu-DaudÃ© wrote:
> On 6/4/20 1:49 PM, Michael S. Tsirkin wrote:
> > On Thu, Jun 04, 2020 at 04:25:24PM +0530, P J P wrote:
> >> From: Prasad J Pandit <pjp@fedoraproject.org>
> >>
> >> While reading PCI configuration bytes, a guest may send an
> >> address towards the end of the configuration space. It may lead
> >> to an OOB access issue. Add check to ensure 'address + size' is
> >> within PCI configuration space.
> >>
> >> Reported-by: Ren Ding <rding@gatech.edu>
> >> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> >> Reported-by: Yi Ren <c4tren@gmail.com>
> >> Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> > 
> > BTW, this only happens on unaligned accesses.
> > And the IO memory region in question does not set valid.unaligned
> > or .impl.unaligned.
> > 
> > And the documentation says:
> > 
> > - .valid.unaligned specifies that the *device being modelled* supports
> >   unaligned accesses; if false, unaligned accesses will invoke the
> >   appropriate bus or CPU specific behaviour.
> > 
> > and
> > 
> > - .impl.unaligned specifies that the *implementation* supports unaligned
> >   accesses; if false, unaligned accesses will be emulated by two aligned
> >   accesses.
> > 
> > Is this then another case of a memory core bug which should have either
> > failed the access or split it?
> 
> Related:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg695362.html
> earlier comment:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg694805.html

Yea looks like more devices following documentation and memory core
doing something else instead.

> > 
> >> ---
> >>  hw/display/ati.c | 4 +++-
> >>  1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> Update v3: avoid modifying 'addr' variable
> >>   -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
> >>
> >> diff --git a/hw/display/ati.c b/hw/display/ati.c
> >> index 67604e68de..b4d0fd88b7 100644
> >> --- a/hw/display/ati.c
> >> +++ b/hw/display/ati.c
> >> @@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> >>          val = s->regs.crtc_pitch;
> >>          break;
> >>      case 0xf00 ... 0xfff:
> >> -        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> >> +        if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
> >> +            val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> >> +        }
> >>          break;
> >>      case CUR_OFFSET:
> >>          val = s->regs.cur_offset;
> >> -- 
> >> 2.26.2
> >

next prev parent reply	other threads:[~2020-06-04 12:02 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-04 10:55 [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791) P J P
2020-06-04 11:49 ` Michael S. Tsirkin
2020-06-04 11:56   ` Philippe Mathieu-Daudé
2020-06-04 12:00     ` Michael S. Tsirkin [this message]
2020-07-02  7:54       ` Michael Tokarev
2020-07-02  9:36         ` Paolo Bonzini
2020-06-04 12:01   ` Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200604075931-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=berrange@redhat.com \
    --cc=c4tren@gmail.com \
    --cc=hanqing@gatech.edu \
    --cc=kraxel@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=philmd@redhat.com \
    --cc=pjp@fedoraproject.org \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=rding@gatech.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).