From: Jason Wang <jasowang@redhat.com>
To: Petr Matousek <pmatouse@redhat.com>
Cc: aliguori@us.ibm.com, qemu-devel@nongnu.org, mst@redhat.com
Subject: Re: [Qemu-devel] [PATCH 1/3] virtio-pci: properly validate address before accessing config
Date: Sat, 27 Apr 2013 13:13:16 +0800 [thread overview]
Message-ID: <517B5E6C.1090606@redhat.com> (raw)
In-Reply-To: <20130426142754.GO8388@dhcp-25-225.brq.redhat.com>
On 04/26/2013 10:27 PM, Petr Matousek wrote:
> On Fri, Apr 26, 2013 at 04:34:02PM +0800, Jason Wang wrote:
>> There are several several issues in the current checking:
>>
>> - The check was based on the minus of unsigned values which can overflow
>> - It was done after .{set|get}_config() which can lead crash when config_len is
>> zero since vdev->config is NULL
>>
>> Fix this by:
>>
>> - Validate the address in virtio_pci_config_{read|write}() before
>> .{set|get}_config
>> - Use addition instead minus to do the validation
>>
>> Cc: Michael S. Tsirkin <mst@redhat.com>
>> Cc: Petr Matousek <pmatouse@redhat.com>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> ---
>> hw/virtio/virtio-pci.c | 9 +++++++++
>> hw/virtio/virtio.c | 18 ------------------
>> 2 files changed, 9 insertions(+), 18 deletions(-)
>>
>> diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
>> index a1f15a8..7f6c7d1 100644
>> --- a/hw/virtio/virtio-pci.c
>> +++ b/hw/virtio/virtio-pci.c
>> @@ -400,6 +400,10 @@ static uint64_t virtio_pci_config_read(void *opaque, hwaddr addr,
>> }
>> addr -= config;
>>
>> + if (addr + size > proxy->vdev->config_len) {
>> + return (uint32_t)-1;
>> + }
>> +
> What is the range of values addr can be? I guess it's not arbitrary and
> not fully in guests hands. Can it be higher than corresponding pci
> config space size?
Not fully in guests hands. It depends on size the config size.
Unfortunately, qemu will roundup the size to power of 2 in
virtio_pci_device_plugged():
size = VIRTIO_PCI_REGION_SIZE(&proxy->pci_dev)
+ virtio_bus_get_vdev_config_len(bus);
if (size & (size - 1)) {
size = 1 << qemu_fls(size);
}
So, for virtio-rng, though its region size is 20, it will be rounded up
to 32, which left guest the possibility to access beyond the config
space. So some check is needs in virito_pci_config_read().
>
> IOW, can guest touch anything interesting or will all accesses end in
> the first page in the qemu address space, considering vdev->config being
> NULL?
>
There's another theoretical issue as pointed by Anthony, see
virtio_config_writew():
void virtio_config_writew(VirtIODevice *vdev, uint32_t addr, uint32_t data)
{
uint16_t val = data;
if (addr > (vdev->config_len - sizeof(val)))
return;
stw_p(vdev->config + addr, val);
if (vdev->set_config)
vdev->set_config(vdev, vdev->config);
}
If there's a device whose config_len is 1, the check will fail and we
can access some other location.
But since virtio-rng has zero config length and addr here should be less
than 12, and all other device's config length is all greater than 4.
Only first page could be access here.
next prev parent reply other threads:[~2013-04-27 5:13 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-26 8:34 [Qemu-devel] [PATCH 1/3] virtio-pci: properly validate address before accessing config Jason Wang
2013-04-26 8:34 ` [Qemu-devel] [PATCH 2/3] virtio-ccw: check config length before accessing it Jason Wang
2013-04-28 8:32 ` Michael S. Tsirkin
2013-04-28 8:40 ` Jason Wang
2013-05-07 5:42 ` Jason Wang
2013-04-26 8:34 ` [Qemu-devel] [PATCH 3/3] s390-virtio-bus: sync config only when config_len is not zero Jason Wang
2013-04-26 17:07 ` Alexander Graf
2013-04-27 5:14 ` Jason Wang
2013-04-28 8:31 ` Michael S. Tsirkin
2013-04-28 8:39 ` Jason Wang
2013-04-26 14:27 ` [Qemu-devel] [PATCH 1/3] virtio-pci: properly validate address before accessing config Petr Matousek
2013-04-27 5:13 ` Jason Wang [this message]
2013-04-28 11:29 ` Petr Matousek
2013-04-29 7:34 ` [Qemu-devel] [oss-security] " Kurt Seifried
2013-04-29 7:51 ` Michael S. Tsirkin
2013-04-27 19:05 ` [Qemu-devel] " Michael S. Tsirkin
2013-04-27 19:26 ` Michael S. Tsirkin
2013-04-28 7:54 ` Jason Wang
2013-04-28 8:35 ` Michael S. Tsirkin
2013-05-02 14:35 ` Andreas Färber
2013-05-06 3:17 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=517B5E6C.1090606@redhat.com \
--to=jasowang@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=mst@redhat.com \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).