From: Peter Maydell <peter.maydell@linaro.org>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "QEMU Developers" <qemu-devel@nongnu.org>, 李强 <liqiang6-s@360.cn>,
"pmatouse@redhat.com" <pmatouse@redhat.com>,
"sstabellini@kernel.org" <sstabellini@kernel.org>,
"secalert@redhat.com" <secalert@redhat.com>,
"mdroth@linux.vnet.ibm.com" <mdroth@linux.vnet.ibm.com>,
g-sec-cloud <g-sec-cloud@list.qihoo.net>,
"Alistair Francis" <alistair.francis@xilinx.com>,
"Peter Crosthwaite" <crosthwaite.peter@gmail.com>
Subject: Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset
Date: Mon, 18 Apr 2016 11:10:06 +0100 [thread overview]
Message-ID: <CAFEAcA8mrU9HW6C_T0Ba3Ls6xH2TstS6WbQW0utx11kFocGq2Q@mail.gmail.com> (raw)
In-Reply-To: <20160418100735.GA517@redhat.com>
CCing the maintainers for this device...
On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote:
> cadence_uart_init() initializes an I/O memory region of size 0x1000
> bytes. However in uart_write(), the 'offset' parameter (offset within
> region) is divided by 4 and then used to index the array 'r' of size
> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2'
> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
> write where the offset and the value are controlled by guest.
>
> This will corrupt QEMU memory, in most situations this causes the vm to
> crash.
>
> Fix by checking the offset against the array size.
>
> Reported-by: 李强 <liqiang6-s@360.cn>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>
> ---
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index 486591b..7977878 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset,
>
> DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value);
> offset >>= 2;
> + if (offset >= CADENCE_UART_R_MAX) {
> + return;
> + }
> switch (offset) {
> case R_IER: /* ier (wts imr) */
> s->r[R_IMR] |= value;
thanks
-- PMM
next prev parent reply other threads:[~2016-04-18 10:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <RT-Ticket-398672@engineering.redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE31B34@EX01.corp.qihoo.net>
2016-04-18 10:07 ` [Qemu-devel] [PATCH] cadence_uart: bounds check write offset Michael S. Tsirkin
2016-04-18 10:10 ` Peter Maydell [this message]
2016-04-18 20:50 ` Alistair Francis
2016-04-19 10:15 ` Peter Maydell
[not found] ` <20160418081029.GA30482@redhat.com>
[not found] ` <CAFEAcA9zNW-hdTW4wK9vjCcmAjDKAcfQA+DNKra-jS2d=TLxLQ@mail.gmail.com>
[not found] ` <20160418120139-mutt-send-email-mst@redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE35B0E@EX01.corp.qihoo.net>
[not found] ` <20160418122728-mutt-send-email-mst@redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE36DC7@EX01.corp.qihoo.net>
2016-04-29 13:08 ` [Qemu-devel] [engineering.redhat.com #398672] [QEMU-SECURITY] Out-of-bands write in uart_write() Red Hat Product Security
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA8mrU9HW6C_T0Ba3Ls6xH2TstS6WbQW0utx11kFocGq2Q@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=alistair.francis@xilinx.com \
--cc=crosthwaite.peter@gmail.com \
--cc=g-sec-cloud@list.qihoo.net \
--cc=liqiang6-s@360.cn \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=secalert@redhat.com \
--cc=sstabellini@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).