From: John Snow <jsnow@redhat.com>
To: Stefan Priebe <s.priebe@profihost.ag>,
Stefan Weil <sw@weilnetz.de>,
qemu-stable@nongnu.org, peter.maydell@linaro.org
Cc: Petr Matousek <pmatouse@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [Qemu-stable] [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
Date: Wed, 13 May 2015 15:04:29 -0400 [thread overview]
Message-ID: <5553A03D.2030208@redhat.com> (raw)
In-Reply-To: <55539EFA.6050605@profihost.ag>
On 05/13/2015 02:59 PM, Stefan Priebe wrote:
>
> Am 13.05.2015 um 20:51 schrieb Stefan Weil:
>> Hi,
>>
>> I just noticed this patch because my provider told me that my KVM based
>> server
>> needs a reboot because of a CVE (see this German news:
>> http://www.heise.de/newsticker/meldung/Venom-Schwachstelle-Aus-Hypervisor-ausbrechen-und-VMs-ausspionieren-2649614.html)
>>
>
> Isn't a live migration to a fixed version enough instead of a reboot?
>
> Stefan
>
>
If your management API or host or whatever lets you migrate back to the
same host, or has another host they can migrate you to, yes.
>>
>> Am 13.05.2015 um 16:33 schrieb John Snow:
>>> From: Petr Matousek <pmatouse@redhat.com>
>>>
>>> During processing of certain commands such as FD_CMD_READ_ID and
>>> FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
>>> get out of bounds leading to memory corruption with values coming
>>> from the guest.
>>>
>>> Fix this by making sure that the index is always bounded by the
>>> allocated memory.
>>>
>>> This is CVE-2015-3456.
>>>
>>> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
>>> Reviewed-by: John Snow <jsnow@redhat.com>
>>> Signed-off-by: John Snow <jsnow@redhat.com>
>>> ---
>>> hw/block/fdc.c | 17 +++++++++++------
>>> 1 file changed, 11 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/hw/block/fdc.c b/hw/block/fdc.c
>>> index f72a392..d8a8edd 100644
>>> --- a/hw/block/fdc.c
>>> +++ b/hw/block/fdc.c
>>> @@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
>>> {
>>> FDrive *cur_drv;
>>> uint32_t retval = 0;
>>> - int pos;
>>> + uint32_t pos;
>>> cur_drv = get_cur_drv(fdctrl);
>>> fdctrl->dsr &= ~FD_DSR_PWRDOWN;
>>> @@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
>>> return 0;
>>> }
>>> pos = fdctrl->data_pos;
>>> + pos %= FD_SECTOR_LEN;
>>
>> I'd combine both statements and perhaps use fdctrl->fifo_size (even if
>> the resulting code will be slightly larger):
>>
>> pos = fdctrl->data_pos % fdctrl->fifo_size;
>>
>>
>>> if (fdctrl->msr & FD_MSR_NONDMA) {
>>> - pos %= FD_SECTOR_LEN;
>>> if (pos == 0) {
>>> if (fdctrl->data_pos != 0)
>>> if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
>>> @@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl
>>> *fdctrl, int direction)
>>> static void fdctrl_handle_drive_specification_command(FDCtrl
>>> *fdctrl, int direction)
>>> {
>>> FDrive *cur_drv = get_cur_drv(fdctrl);
>>> + uint32_t pos;
>>> - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
>>> + pos = fdctrl->data_pos - 1;
>>> + pos %= FD_SECTOR_LEN;
>>
>> Shorter (and more clear):
>>
>> uint32_t pos = (fdctrl->data_pos - 1) % fdctrl->fifo_size;
>>
>>> + if (fdctrl->fifo[pos] & 0x80) {
>>> /* Command parameters done */
>>> - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
>>> + if (fdctrl->fifo[pos] & 0x40) {
>>> fdctrl->fifo[0] = fdctrl->fifo[1];
>>> fdctrl->fifo[2] = 0;
>>> fdctrl->fifo[3] = 0;
>>> @@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
>>> static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
>>> {
>>> FDrive *cur_drv;
>>> - int pos;
>>> + uint32_t pos;
>>> /* Reset mode */
>>> if (!(fdctrl->dor & FD_DOR_nRESET)) {
>>> @@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl,
>>> uint32_t value)
>>> }
>>> FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
>>> - fdctrl->fifo[fdctrl->data_pos++] = value;
>>> + pos = fdctrl->data_pos++;
>>> + pos %= FD_SECTOR_LEN;
>>> + fdctrl->fifo[pos] = value;
>>> if (fdctrl->data_pos == fdctrl->data_len) {
>>> /* We now have all parameters
>>> * and will be able to treat the command
>>
>> Not strictly related to this patch: The code which sets fifo_size could
>> also be improved.
>>
>> fdctrl->fifo = qemu_memalign(512, FD_SECTOR_LEN);
>> fdctrl->fifo_size = 512;
>>
>> The 2nd line should be
>>
>> fdctrl->fifo_size = FD_SECTOR_LEN;
>>
>>
>> As far as I see the original code can read or write illegal memory
>> locations in the address space of the QEMU process. It cannot (as it was
>> claimed) modify the code of the VM host because those memory is usually
>> write protected - at least if QEMU is running without KVM. If the code
>> which is generated for KVM is writable from anywhere in QEMU, we should
>> perhaps consider changing that.
>>
>> Regards
>> Stefan
>>
>>
>
--
—js
next prev parent reply other threads:[~2015-05-13 19:04 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 14:33 [Qemu-devel] [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer John Snow
2015-05-13 14:33 ` John Snow
2015-05-13 14:35 ` John Snow
2015-05-13 18:51 ` Stefan Weil
2015-05-13 18:59 ` [Qemu-devel] [Qemu-stable] " Stefan Priebe
2015-05-13 19:04 ` John Snow [this message]
2015-05-13 19:06 ` Stefan Priebe
2015-05-13 19:05 ` Stefan Weil
2015-05-13 19:09 ` Stefan Priebe
2015-05-13 19:30 ` Peter Lieven
2015-05-13 19:52 ` Markus Armbruster
2015-05-13 20:02 ` Peter Lieven
2015-05-13 20:03 ` John Snow
2015-05-13 20:04 ` Peter Lieven
2015-05-13 20:54 ` [Qemu-devel] " John Snow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5553A03D.2030208@redhat.com \
--to=jsnow@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=s.priebe@profihost.ag \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).