From: Simon Rowe <simon.rowe@nutanix.com>
To: qemu-devel@nongnu.org
Cc: John Snow <jsnow@redhat.com>,
qemu-block@nongnu.org, f.ebner@proxmox.com,
Simon Rowe <simon.rowe@nutanix.com>,
Felipe Franciosi <felipe@nutanix.com>
Subject: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset
Date: Thu, 21 Sep 2023 16:07:12 +0000 [thread overview]
Message-ID: <20230921160712.99521-2-simon.rowe@nutanix.com> (raw)
In-Reply-To: <20230921160712.99521-1-simon.rowe@nutanix.com>
When an IDE controller is reset, its internal state is being cleared
before any outstanding I/O is cancelled. If a response to DMA is
received in this window, the aio callback will incorrectly continue
with the next part of the transfer (now using sector 0 from
the cleared controller state).
For a write operation, this results in user data being written to the
MBR, replacing the first stage bootloader and/or partition table. A
malicious user could exploit this bug to first read the MBR and then
rewrite it with user-controller bootloader code.
This addresses the bug by checking if DRQ_STAT is still set in the DMA
callback (as it is otherwise cleared at the start of the bus
reset). If it is not, treat the transfer as ended.
This only appears to affect SATA controllers, plain IDE does not use
aio.
Fixes: CVE-2023-5088
Signed-off-by: Simon Rowe <simon.rowe@nutanix.com>
Cc: Felipe Franciosi <felipe@nutanix.com>
---
hw/ide/core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index b5e0dcd29b..826b7eaeeb 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -906,8 +906,12 @@ static void ide_dma_cb(void *opaque, int ret)
s->nsector -= n;
}
- /* end of transfer ? */
- if (s->nsector == 0) {
+ /*
+ * End of transfer ?
+ * If a bus reset occurs immediately before the callback is invoked the
+ * bus state will have been cleared. Terminate the transfer.
+ */
+ if (s->nsector == 0 || !(s->status & DRQ_STAT)) {
s->status = READY_STAT | SEEK_STAT;
ide_bus_set_irq(s->bus);
goto eot;
--
2.22.3
next prev parent reply other threads:[~2023-09-21 16:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-21 16:07 [PATCH 0/1] CVE-2023-5088 Simon Rowe
2023-09-21 16:07 ` Simon Rowe [this message]
2023-09-25 19:53 ` [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset John Snow
2023-09-26 7:11 ` Fiona Ebner
2023-09-26 14:45 ` John Snow
2023-09-28 11:23 ` Fiona Ebner
2023-10-02 9:08 ` Simon Rowe
2023-10-02 22:59 ` John Snow
2023-10-03 12:46 ` Simon Rowe
2023-10-03 14:06 ` Niklas Cassel
2023-10-03 17:05 ` John Snow
2023-10-04 7:51 ` Simon Rowe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230921160712.99521-2-simon.rowe@nutanix.com \
--to=simon.rowe@nutanix.com \
--cc=f.ebner@proxmox.com \
--cc=felipe@nutanix.com \
--cc=jsnow@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).