* [PATCH] pci: check address before reading configuration bytes
@ 2020-06-03 12:40 P J P
2020-06-03 12:51 ` Daniel P. Berrangé
2020-06-03 12:52 ` Philippe Mathieu-Daudé
0 siblings, 2 replies; 3+ messages in thread
From: P J P @ 2020-06-03 12:40 UTC (permalink / raw)
To: Michael S . Tsirkin
Cc: Prasad J Pandit, Yi Ren, QEMU Developers, Ren Ding, Hanqing Zhao
From: Prasad J Pandit <pjp@fedoraproject.org>
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + len' is
within PCI configuration space.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/pci/pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 70c66965f5..4429fa9401 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
pcie_sync_bridge_lnk(d);
}
- memcpy(&val, d->config + address, len);
+ if (address + len <= pci_config_size(d)) {
+ memcpy(&val, d->config + address, len);
+ }
return le32_to_cpu(val);
}
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] pci: check address before reading configuration bytes
2020-06-03 12:40 [PATCH] pci: check address before reading configuration bytes P J P
@ 2020-06-03 12:51 ` Daniel P. Berrangé
2020-06-03 12:52 ` Philippe Mathieu-Daudé
1 sibling, 0 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2020-06-03 12:51 UTC (permalink / raw)
To: P J P
Cc: Prasad J Pandit, Michael S . Tsirkin, Yi Ren, QEMU Developers,
Ren Ding, Hanqing Zhao
On Wed, Jun 03, 2020 at 06:10:41PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + len' is
> within PCI configuration space.
A malicious guest triggering an OOB access in the host QEMU
sounds like a significant security flaw. Do we have a CVE
assigned for this ?
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/pci/pci.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 70c66965f5..4429fa9401 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
> ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
> pcie_sync_bridge_lnk(d);
> }
> - memcpy(&val, d->config + address, len);
> + if (address + len <= pci_config_size(d)) {
> + memcpy(&val, d->config + address, len);
> + }
> return le32_to_cpu(val);
> }
>
> --
> 2.26.2
>
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] pci: check address before reading configuration bytes
2020-06-03 12:40 [PATCH] pci: check address before reading configuration bytes P J P
2020-06-03 12:51 ` Daniel P. Berrangé
@ 2020-06-03 12:52 ` Philippe Mathieu-Daudé
1 sibling, 0 replies; 3+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-03 12:52 UTC (permalink / raw)
To: P J P, Michael S . Tsirkin
Cc: Ren Ding, Yi Ren, Prasad J Pandit, Hanqing Zhao, QEMU Developers
On 6/3/20 2:40 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + len' is
> within PCI configuration space.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/pci/pci.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 70c66965f5..4429fa9401 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
> ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
> pcie_sync_bridge_lnk(d);
> }
> - memcpy(&val, d->config + address, len);
> + if (address + len <= pci_config_size(d)) {
We don't want to hide/ignore earlier bugs, so IMO the caller should
check for access in range, and this function abort() as it should never
been called with such arguments.
> + memcpy(&val, d->config + address, len);
> + }
> return le32_to_cpu(val);
> }
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-03 12:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-03 12:40 [PATCH] pci: check address before reading configuration bytes P J P
2020-06-03 12:51 ` Daniel P. Berrangé
2020-06-03 12:52 ` Philippe Mathieu-Daudé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).