From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:55473)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1UZBwI-0005pR-Qa
	for qemu-devel@nongnu.org; Sun, 05 May 2013 23:18:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1UZBwH-0004rX-2h
	for qemu-devel@nongnu.org; Sun, 05 May 2013 23:18:10 -0400
Received: from mx1.redhat.com ([209.132.183.28]:8032)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1UZBwG-0004rR-RH
	for qemu-devel@nongnu.org; Sun, 05 May 2013 23:18:09 -0400
Message-ID: <518720DD.2050202@redhat.com>
Date: Mon, 06 May 2013 11:17:49 +0800
From: Jason Wang <jasowang@redhat.com>
MIME-Version: 1.0
References: <1366965244-20542-1-git-send-email-jasowang@redhat.com>
	<20130427192642.GA30188@redhat.com> <517CD5AC.2080708@redhat.com>
	<20130428083514.GE7106@redhat.com> <518279C9.7030501@suse.de>
In-Reply-To: <518279C9.7030501@suse.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH 1/3] virtio-pci: properly validate address
 before accessing config
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?ISO-8859-1?Q?Andreas_F=E4rber?= <afaerber@suse.de>
Cc: aliguori@us.ibm.com, pmatouse@redhat.com, qemu-devel@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>

On 05/02/2013 10:35 PM, Andreas F=E4rber wrote:
> Am 28.04.2013 10:35, schrieb Michael S. Tsirkin:
>> On Sun, Apr 28, 2013 at 03:54:20PM +0800, Jason Wang wrote:
>>> On 04/28/2013 03:26 AM, Michael S. Tsirkin wrote:
>>>> On Fri, Apr 26, 2013 at 04:34:02PM +0800, Jason Wang wrote:
>>>>> There are several several issues in the current checking:
>>>>>
>>>>> - The check was based on the minus of unsigned values which can ove=
rflow
>>>>> - It was done after .{set|get}_config() which can lead crash when c=
onfig_len is
>>>>>   zero since vdev->config is NULL
>>>>>
>>>>> Fix this by:
>>>>>
>>>>> - Validate the address in virtio_pci_config_{read|write}() before
>>>>>   .{set|get}_config
>>>>> - Use addition instead minus to do the validation
>>>>>
>>>>> Cc: Michael S. Tsirkin <mst@redhat.com>
>>>>> Cc: Petr Matousek <pmatouse@redhat.com>
>>>>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>>>> Why do this in virtio-pci and not in virtio.c?
>>>> If instead we correct the checks in virtio.c we
>>>> get less code, and all transports will benefit
>>>> automatically.
>>> I wish I could but looks like vitio_config_read{b|w|l} were only used=
 by
>>> virtio-pci. Other transport such as ccw and s390-virtio-bus have thei=
r
>>> own implementation.
>> Okay but still, the bug is in checks in virtio.c, why not fix it there
>> instead of making it assume caller does the checks?
> Ping? This issue has been assigned a CVE but the solution does not seem
> to be agreed on yet - are you working on a different proposal, Jason?
>
> Thanks,
> Andreas
>

Hi, I was just back from vacation, will draft V2 soon according to
Michael's comments.

Thanks