Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds

["Michael S. Tsirkin" <mst@redhat.com>]

On Thu, Jun 04, 2020 at 02:14:46PM +0200, BALATON Zoltan wrote:
> On Thu, 4 Jun 2020, Michael S. Tsirkin wrote:
> > On Thu, Jun 04, 2020 at 01:49:53PM +0200, BALATON Zoltan wrote:
> > > On Thu, 4 Jun 2020, Michael S. Tsirkin wrote:
> > > > On Thu, Jun 04, 2020 at 01:37:13PM +0200, BALATON Zoltan wrote:
> > > > > On Thu, 4 Jun 2020, Michael S. Tsirkin wrote:
> > > > > > On Thu, Jun 04, 2020 at 08:07:52AM +0200, Philippe Mathieu-Daudé wrote:
> > > > > > > On 6/4/20 12:13 AM, BALATON Zoltan wrote:
> > > > > > > > On Thu, 4 Jun 2020, P J P wrote:
> > > > > > > > > From: Prasad J Pandit <pjp@fedoraproject.org>
> > > > > > > > > 
> > > > > > > > > While reading PCI configuration bytes, a guest may send an
> > > > > > > > > address towards the end of the configuration space. It may lead
> > > > > > > > > to an OOB access issue. Assert that 'address + len' is within
> > > > > > > > > PCI configuration space.
> > > > > > > > > 
> > > > > > > > > Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> > > > > > > > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> > > > > > > > > ---
> > > > > > > > > hw/pci/pci.c | 2 ++
> > > > > > > > > 1 file changed, 2 insertions(+)
> > > > > > > > > 
> > > > > > > > > Update v2: assert PCI configuration access is within bounds
> > > > > > > > >  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html
> > > > > > > > > 
> > > > > > > > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> > > > > > > > > index 70c66965f5..173bec4fd5 100644
> > > > > > > > > --- a/hw/pci/pci.c
> > > > > > > > > +++ b/hw/pci/pci.c
> > > > > > > > > @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
> > > > > > > > > {
> > > > > > > > >     uint32_t val = 0;
> > > > > > > > > 
> > > > > > > > > +    assert(address + len <= pci_config_size(d));
> > > > > > > > 
> > > > > > > > Does this allow guest now to crash QEMU? I think it was suggested that
> > > > > > > > assert should only be used for cases that can only arise from a
> > > > > > > > programming error and not from values set by the guest. If this is
> > > > > > > > considered to be an error now to call this function with wrong
> > > > > > > > parameters did you check other callers? I've found a few such as:
> > > > > > > > 
> > > > > > > > hw/scsi/esp-pci.c
> > > > > > > > hw/watchdog/wdt_i6300esb.c
> > > > > > > > hw/ide/cmd646.c
> > > > > > > > hw/vfio/pci.c
> > > > > > > > 
> > > > > > > > and maybe others. Would it be better to not crash just log invalid
> > > > > > > > access and either fix up parameters or return some garbage like 0?
> > > > > > > 
> > > > > > > Yes, maybe I was not clear while reviewing v1, we need to audit the
> > > > > > > callers and fix them first, then we can safely add the assert here.
> > > > > > 
> > > > > > We can add assert here regardless of auditing callers. Doing that
> > > > > > will also make fuzzying easier. But the assert is unrelated to CVE imho.
> > > > > 
> > > > > I wonder why isn't the check added to pci_default_read_config() right away?
> > > > > If we have an assert there the overhead is the same and adding the check
> > > > > there would make it unnecessary to patch all callers so it's just one patch
> > > > > instead of a whole series.
> > > > > 
> > > > > Regards,
> > > > > BALATON Zoltan
> > > > 
> > > > We need to return something, and we can't be sure that callers will
> > > > handle returning random stuff correctly. Callers know what
> > > > to do on errors, we don't.
> > > 
> > > This is an invalid case where behaviour will be undefined anyway so
> > > returning anything such as 0 or -1 is probably OK (what do most hardware
> > > return in this case?).
> > 
> > This is an internal detail of the API. It's not about what hardware
> > returns.  Look at the ati as an example.
> 
> Considering that this function implements reading PCI config space its API
> should aligh with what happens on hardware normally. You could make it
> unrelated but that does not make much sense other than causing trouble for
> callers.

What happens on hardware is that there's no way to send to
device a transaction that is out of range: on pci
offset is 8 bit so <= 0xff, and on express 12 bit so <= 4K.

So this handles something that never happens on real hardware
and it happens because of a bug elsewhere in QEMU.
assert seems appropriate.


> > > If callers need better error handling they can do a
> > > check before calling the function but for other (most) callers which will
> > > just return the same random value you would return from
> > > pci_default_read_config() having an assert instead makes it necessary to
> > > modify all of them one by one and doubles the check overhead by
> > > unnecessarily double checking. So I think having a default check and error
> > > handling in pci_default_read_config() would be better so callers who don't
> > > care would work and those few who might care could check before calling or
> > > actually implement their own callback (which I expect they already do as
> > > this is just the default implementation of this callback).
> > 
> > 
> > Basically if you look at the specific example, you will see that it
> > triggers because of a misaligned access which device code never
> > expected. Which memory core should not allow at all.
> > It will likely trigger other bugs, some of them could be
> > security related. assert is a reasonable way to help us catch them in
> > fuzzying.
> 
> The specific example (ati-vga) does expect and should support unaligned
> access.

Then it should set "unaligned = true". It does not seem to do so.

> Not for all regs but for most registers, there's a table in docs
> which says for PCI POS registers (whatever those are) unalligned access is
> supported. This works now, if it should not work witout .impl.unaligned or
> some other value set somewhere that should be patched instead.

Argue with the docs/devel/memory.rst about this please, that's not
what it says.


> 
> Regards,
> BALATON Zoltan