From: Paolo Bonzini <pbonzini@redhat.com>
To: Pranith Kumar <bobby.prani+qemu@gmail.com>
Cc: Richard Henderson <rth@twiddle.net>,
Peter Maydell <peter.maydell@linaro.org>,
Qemu Developers <qemu-devel@nongnu.org>,
Jann Horn <jannh@google.com>
Subject: Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching
Date: Thu, 23 Mar 2017 18:37:02 +0100 [thread overview]
Message-ID: <575fee6e-489d-54a8-dfbc-1f42172d5713@redhat.com> (raw)
In-Reply-To: <CAJhHMCDke60mQgOza1xgTs9sSTcE0HESG7G=f3bQ5sP+0Baz0A@mail.gmail.com>
On 23/03/2017 17:50, Pranith Kumar wrote:
> On Thu, Mar 23, 2017 at 6:27 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
>>
>>
>> On 22/03/2017 21:01, Richard Henderson wrote:
>>>>
>>>> Ah, OK. Thanks for the explanation. May be we should check the size of
>>>> the instruction while decoding the prefixes and error out once we
>>>> exceed the limit. We would not generate any IR code.
>>>
>>> Yes.
>>>
>>> It would not enforce a true limit of 15 bytes, since you can't know that
>>> until you've done the rest of the decode. But you'd be able to say that
>>> no more than 14 prefix + 1 opc + 6 modrm+sib+ofs + 4 immediate = 25
>>> bytes is used.
>>>
>>> Which does fix the bug.
>>
>> Yeah, that would work for 2.9 if somebody wants to put together a patch.
>> Ensuring that all instruction fetching happens before translation side
>> effects is a little harder, but perhaps it's also the opportunity to get
>> rid of s->rip_offset which is a little ugly.
>
> How about the following?
>
> diff --git a/target/i386/translate.c b/target/i386/translate.c
> index 72c1b03a2a..67c58b8900 100644
> --- a/target/i386/translate.c
> +++ b/target/i386/translate.c
> @@ -4418,6 +4418,11 @@ static target_ulong disas_insn(CPUX86State
> *env, DisasContext *s,
> s->vex_l = 0;
> s->vex_v = 0;
> next_byte:
> + /* The prefixes can atmost be 14 bytes since x86 has an upper
> + limit of 15 bytes for the instruction */
> + if (s->pc - pc_start > 14) {
> + goto illegal_op;
> + }
> b = cpu_ldub_code(env, s->pc);
> s->pc++;
> /* Collect prefixes. */
Please make the comment more verbose, based on Richard's remark. We
should apply it to 2.9.
Also, QEMU usually formats comments with stars on every line.
Paolo
next prev parent reply other threads:[~2017-03-23 17:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 14:36 [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching Jann Horn
2017-03-20 14:46 ` Peter Maydell
2017-03-22 14:55 ` Pranith Kumar
2017-03-22 15:04 ` Peter Maydell
2017-03-22 15:14 ` Pranith Kumar
2017-03-22 15:21 ` Peter Maydell
2017-03-22 16:29 ` Pranith Kumar
2017-03-22 20:01 ` Richard Henderson
2017-03-23 10:27 ` Paolo Bonzini
2017-03-23 16:50 ` Pranith Kumar
2017-03-23 17:37 ` Paolo Bonzini [this message]
2017-03-23 17:43 ` Pranith Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=575fee6e-489d-54a8-dfbc-1f42172d5713@redhat.com \
--to=pbonzini@redhat.com \
--cc=bobby.prani+qemu@gmail.com \
--cc=jannh@google.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).