From: Stefan Weil <sw@weilnetz.de>
To: John Snow <jsnow@redhat.com>,
qemu-stable@nongnu.org, peter.maydell@linaro.org
Cc: Petr Matousek <pmatouse@redhat.com>,
qemu-devel@nongnu.org, mdroth@linux.vnet.ibm.com
Subject: Re: [Qemu-devel] [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
Date: Wed, 13 May 2015 20:51:03 +0200 [thread overview]
Message-ID: <55539D17.7010000@weilnetz.de> (raw)
In-Reply-To: <1431527602-29889-1-git-send-email-jsnow@redhat.com>
Hi,
I just noticed this patch because my provider told me that my KVM based
server
needs a reboot because of a CVE (see this German news:
http://www.heise.de/newsticker/meldung/Venom-Schwachstelle-Aus-Hypervisor-ausbrechen-und-VMs-ausspionieren-2649614.html)
Am 13.05.2015 um 16:33 schrieb John Snow:
> From: Petr Matousek <pmatouse@redhat.com>
>
> During processing of certain commands such as FD_CMD_READ_ID and
> FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
> get out of bounds leading to memory corruption with values coming
> from the guest.
>
> Fix this by making sure that the index is always bounded by the
> allocated memory.
>
> This is CVE-2015-3456.
>
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reviewed-by: John Snow <jsnow@redhat.com>
> Signed-off-by: John Snow <jsnow@redhat.com>
> ---
> hw/block/fdc.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/hw/block/fdc.c b/hw/block/fdc.c
> index f72a392..d8a8edd 100644
> --- a/hw/block/fdc.c
> +++ b/hw/block/fdc.c
> @@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
> {
> FDrive *cur_drv;
> uint32_t retval = 0;
> - int pos;
> + uint32_t pos;
>
> cur_drv = get_cur_drv(fdctrl);
> fdctrl->dsr &= ~FD_DSR_PWRDOWN;
> @@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
> return 0;
> }
> pos = fdctrl->data_pos;
> + pos %= FD_SECTOR_LEN;
I'd combine both statements and perhaps use fdctrl->fifo_size (even if
the resulting code will be slightly larger):
pos = fdctrl->data_pos % fdctrl->fifo_size;
> if (fdctrl->msr & FD_MSR_NONDMA) {
> - pos %= FD_SECTOR_LEN;
> if (pos == 0) {
> if (fdctrl->data_pos != 0)
> if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
> @@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
> static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
> {
> FDrive *cur_drv = get_cur_drv(fdctrl);
> + uint32_t pos;
>
> - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
> + pos = fdctrl->data_pos - 1;
> + pos %= FD_SECTOR_LEN;
Shorter (and more clear):
uint32_t pos = (fdctrl->data_pos - 1) % fdctrl->fifo_size;
> + if (fdctrl->fifo[pos] & 0x80) {
> /* Command parameters done */
> - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
> + if (fdctrl->fifo[pos] & 0x40) {
> fdctrl->fifo[0] = fdctrl->fifo[1];
> fdctrl->fifo[2] = 0;
> fdctrl->fifo[3] = 0;
> @@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
> static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
> {
> FDrive *cur_drv;
> - int pos;
> + uint32_t pos;
>
> /* Reset mode */
> if (!(fdctrl->dor & FD_DOR_nRESET)) {
> @@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
> }
>
> FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
> - fdctrl->fifo[fdctrl->data_pos++] = value;
> + pos = fdctrl->data_pos++;
> + pos %= FD_SECTOR_LEN;
> + fdctrl->fifo[pos] = value;
> if (fdctrl->data_pos == fdctrl->data_len) {
> /* We now have all parameters
> * and will be able to treat the command
Not strictly related to this patch: The code which sets fifo_size could
also be improved.
fdctrl->fifo = qemu_memalign(512, FD_SECTOR_LEN);
fdctrl->fifo_size = 512;
The 2nd line should be
fdctrl->fifo_size = FD_SECTOR_LEN;
As far as I see the original code can read or write illegal memory
locations in the address space of the QEMU process. It cannot (as it was
claimed) modify the code of the VM host because those memory is usually
write protected - at least if QEMU is running without KVM. If the code
which is generated for KVM is writable from anywhere in QEMU, we should
perhaps consider changing that.
Regards
Stefan
next prev parent reply other threads:[~2015-05-13 18:51 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 14:33 [Qemu-devel] [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer John Snow
2015-05-13 14:33 ` John Snow
2015-05-13 14:35 ` John Snow
2015-05-13 18:51 ` Stefan Weil [this message]
2015-05-13 18:59 ` [Qemu-devel] [Qemu-stable] " Stefan Priebe
2015-05-13 19:04 ` John Snow
2015-05-13 19:06 ` Stefan Priebe
2015-05-13 19:05 ` Stefan Weil
2015-05-13 19:09 ` Stefan Priebe
2015-05-13 19:30 ` Peter Lieven
2015-05-13 19:52 ` Markus Armbruster
2015-05-13 20:02 ` Peter Lieven
2015-05-13 20:03 ` John Snow
2015-05-13 20:04 ` Peter Lieven
2015-05-13 20:54 ` [Qemu-devel] " John Snow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55539D17.7010000@weilnetz.de \
--to=sw@weilnetz.de \
--cc=jsnow@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=peter.maydell@linaro.org \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).