* [PATCH v2] ati-vga: check mm_index before recursive call
@ 2020-06-03 18:55 P J P
2020-06-03 19:21 ` Philippe Mathieu-Daudé
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: P J P @ 2020-06-03 18:55 UTC (permalink / raw)
To: Gerd Hoffmann
Cc: Prasad J Pandit, Yi Ren, QEMU Developers, Ren Ding, Hanqing Zhao
From: Prasad J Pandit <pjp@fedoraproject.org>
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid it.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/display/ati.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Update v2: add check before recursive call
-> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
diff --git a/hw/display/ati.c b/hw/display/ati.c
index 065f197678..bda4a2d816 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
if (idx <= s->vga.vram_size - size) {
val = ldn_le_p(s->vga.vram_ptr + idx, size);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
}
break;
@@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
if (idx <= s->vga.vram_size - size) {
stn_le_p(s->vga.vram_ptr + idx, size, data);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
}
break;
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ati-vga: check mm_index before recursive call
2020-06-03 18:55 [PATCH v2] ati-vga: check mm_index before recursive call P J P
@ 2020-06-03 19:21 ` Philippe Mathieu-Daudé
2020-06-03 21:49 ` BALATON Zoltan
2020-06-04 8:45 ` Daniel P. Berrangé
2 siblings, 0 replies; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-03 19:21 UTC (permalink / raw)
To: P J P, Gerd Hoffmann
Cc: Ren Ding, Yi Ren, Prasad J Pandit, Hanqing Zhao, QEMU Developers
On 6/3/20 8:55 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While accessing VGA registers via ati_mm_read/write routines,
> a guest may set 's->regs.mm_index' such that it leads to infinite
> recursion. Check mm_index value to avoid it.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Update v2: add check before recursive call
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 065f197678..bda4a2d816 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> if (idx <= s->vga.vram_size - size) {
> val = ldn_le_p(s->vga.vram_ptr + idx, size);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
We usually log unexpected guest accesses with:
} else {
qemu_log_mask(LOG_GUEST_ERROR, ...
> }
> break;
> @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
> if (idx <= s->vga.vram_size - size) {
> stn_le_p(s->vga.vram_ptr + idx, size, data);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
Ditto:
} else {
qemu_log_mask(LOG_GUEST_ERROR, ...
> }
> break;
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ati-vga: check mm_index before recursive call
2020-06-03 18:55 [PATCH v2] ati-vga: check mm_index before recursive call P J P
2020-06-03 19:21 ` Philippe Mathieu-Daudé
@ 2020-06-03 21:49 ` BALATON Zoltan
2020-06-04 8:45 ` Daniel P. Berrangé
2 siblings, 0 replies; 5+ messages in thread
From: BALATON Zoltan @ 2020-06-03 21:49 UTC (permalink / raw)
To: P J P
Cc: Prasad J Pandit, Yi Ren, QEMU Developers, Gerd Hoffmann, Ren Ding,
Hanqing Zhao
On Thu, 4 Jun 2020, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While accessing VGA registers via ati_mm_read/write routines,
> a guest may set 's->regs.mm_index' such that it leads to infinite
> recursion. Check mm_index value to avoid it.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
therefore I think this should work but someone else should give
Reviewed-by to cross check this.
Regards,
BALATON Zoltan
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Update v2: add check before recursive call
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 065f197678..bda4a2d816 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> if (idx <= s->vga.vram_size - size) {
> val = ldn_le_p(s->vga.vram_ptr + idx, size);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
> }
> break;
> @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
> if (idx <= s->vga.vram_size - size) {
> stn_le_p(s->vga.vram_ptr + idx, size, data);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
> }
> break;
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ati-vga: check mm_index before recursive call
2020-06-03 18:55 [PATCH v2] ati-vga: check mm_index before recursive call P J P
2020-06-03 19:21 ` Philippe Mathieu-Daudé
2020-06-03 21:49 ` BALATON Zoltan
@ 2020-06-04 8:45 ` Daniel P. Berrangé
2020-06-04 9:14 ` P J P
2 siblings, 1 reply; 5+ messages in thread
From: Daniel P. Berrangé @ 2020-06-04 8:45 UTC (permalink / raw)
To: P J P
Cc: Prasad J Pandit, Yi Ren, QEMU Developers, Gerd Hoffmann, Ren Ding,
Hanqing Zhao
On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While accessing VGA registers via ati_mm_read/write routines,
> a guest may set 's->regs.mm_index' such that it leads to infinite
> recursion. Check mm_index value to avoid it.
So this is a denial of service security issue. Is there any CVE
assigned for this ?
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Update v2: add check before recursive call
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 065f197678..bda4a2d816 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> if (idx <= s->vga.vram_size - size) {
> val = ldn_le_p(s->vga.vram_ptr + idx, size);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
> }
> break;
> @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
> if (idx <= s->vga.vram_size - size) {
> stn_le_p(s->vga.vram_ptr + idx, size, data);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
> }
> break;
> --
> 2.26.2
>
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ati-vga: check mm_index before recursive call
2020-06-04 8:45 ` Daniel P. Berrangé
@ 2020-06-04 9:14 ` P J P
0 siblings, 0 replies; 5+ messages in thread
From: P J P @ 2020-06-04 9:14 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: Yi Ren, QEMU Developers, Gerd Hoffmann, Ren Ding,
Philippe Mathieu Daude, Hanqing Zhao
[-- Attachment #1: Type: text/plain, Size: 1166 bytes --]
+-- On Wed, 3 Jun 2020, Philippe Mathieu-Daudé wrote --+
| > - } else {
| > + } else if (s->regs.mm_index > MM_DATA + 3) {
| > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
|
| We usually log unexpected guest accesses with:
|
| } else {
| qemu_log_mask(LOG_GUEST_ERROR, ...
|
| > - } else {
| > + } else if (s->regs.mm_index > MM_DATA + 3) {
| > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
|
| Ditto:
|
| } else {
| qemu_log_mask(LOG_GUEST_ERROR, ...
+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
| > While accessing VGA registers via ati_mm_read/write routines,
| > a guest may set 's->regs.mm_index' such that it leads to infinite
| > recursion. Check mm_index value to avoid it.
|
| So this is a denial of service security issue. Is there any CVE
| assigned for this ?
Yes, just sent a revised patch v3 with above changes and CVE-ID.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-06-04 9:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-03 18:55 [PATCH v2] ati-vga: check mm_index before recursive call P J P
2020-06-03 19:21 ` Philippe Mathieu-Daudé
2020-06-03 21:49 ` BALATON Zoltan
2020-06-04 8:45 ` Daniel P. Berrangé
2020-06-04 9:14 ` P J P
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).