* [Qemu-devel] [PATCH] cadence_uart: bounds check write offset
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE31B34@EX01.corp.qihoo.net>
@ 2016-04-18 10:07 ` Michael S. Tsirkin
2016-04-18 10:10 ` Peter Maydell
[not found] ` <20160418081029.GA30482@redhat.com>
1 sibling, 1 reply; 5+ messages in thread
From: Michael S. Tsirkin @ 2016-04-18 10:07 UTC (permalink / raw)
To: Peter Maydell, qemu-devel
Cc: 李强, pmatouse@redhat.com, sstabellini@kernel.org,
secalert@redhat.com, mdroth@linux.vnet.ibm.com, g-sec-cloud
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes. However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.
This will corrupt QEMU memory, in most situations this causes the vm to
crash.
Fix by checking the offset against the array size.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index 486591b..7977878 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset,
DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value);
offset >>= 2;
+ if (offset >= CADENCE_UART_R_MAX) {
+ return;
+ }
switch (offset) {
case R_IER: /* ier (wts imr) */
s->r[R_IMR] |= value;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset
2016-04-18 10:07 ` [Qemu-devel] [PATCH] cadence_uart: bounds check write offset Michael S. Tsirkin
@ 2016-04-18 10:10 ` Peter Maydell
2016-04-18 20:50 ` Alistair Francis
0 siblings, 1 reply; 5+ messages in thread
From: Peter Maydell @ 2016-04-18 10:10 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: QEMU Developers, 李强, pmatouse@redhat.com,
sstabellini@kernel.org, secalert@redhat.com,
mdroth@linux.vnet.ibm.com, g-sec-cloud, Alistair Francis,
Peter Crosthwaite
CCing the maintainers for this device...
On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote:
> cadence_uart_init() initializes an I/O memory region of size 0x1000
> bytes. However in uart_write(), the 'offset' parameter (offset within
> region) is divided by 4 and then used to index the array 'r' of size
> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2'
> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
> write where the offset and the value are controlled by guest.
>
> This will corrupt QEMU memory, in most situations this causes the vm to
> crash.
>
> Fix by checking the offset against the array size.
>
> Reported-by: 李强 <liqiang6-s@360.cn>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>
> ---
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index 486591b..7977878 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset,
>
> DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value);
> offset >>= 2;
> + if (offset >= CADENCE_UART_R_MAX) {
> + return;
> + }
> switch (offset) {
> case R_IER: /* ier (wts imr) */
> s->r[R_IMR] |= value;
thanks
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset
2016-04-18 10:10 ` Peter Maydell
@ 2016-04-18 20:50 ` Alistair Francis
2016-04-19 10:15 ` Peter Maydell
0 siblings, 1 reply; 5+ messages in thread
From: Alistair Francis @ 2016-04-18 20:50 UTC (permalink / raw)
To: Peter Maydell
Cc: Michael S. Tsirkin, sstabellini@kernel.org, pmatouse@redhat.com,
secalert@redhat.com, g-sec-cloud, Peter Crosthwaite,
mdroth@linux.vnet.ibm.com, QEMU Developers, 李强,
Alistair Francis
On Mon, Apr 18, 2016 at 3:10 AM, Peter Maydell <peter.maydell@linaro.org> wrote:
> CCing the maintainers for this device...
>
> On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote:
>> cadence_uart_init() initializes an I/O memory region of size 0x1000
>> bytes. However in uart_write(), the 'offset' parameter (offset within
>> region) is divided by 4 and then used to index the array 'r' of size
>> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2'
>> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
>> write where the offset and the value are controlled by guest.
>>
>> This will corrupt QEMU memory, in most situations this causes the vm to
>> crash.
>>
>> Fix by checking the offset against the array size.
>>
>> Reported-by: 李强 <liqiang6-s@360.cn>
>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Good catch.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Thanks,
Alistair
>>
>> ---
>>
>> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
>> index 486591b..7977878 100644
>> --- a/hw/char/cadence_uart.c
>> +++ b/hw/char/cadence_uart.c
>> @@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset,
>>
>> DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value);
>> offset >>= 2;
>> + if (offset >= CADENCE_UART_R_MAX) {
>> + return;
>> + }
>> switch (offset) {
>> case R_IER: /* ier (wts imr) */
>> s->r[R_IMR] |= value;
>
> thanks
> -- PMM
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset
2016-04-18 20:50 ` Alistair Francis
@ 2016-04-19 10:15 ` Peter Maydell
0 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2016-04-19 10:15 UTC (permalink / raw)
To: Alistair Francis
Cc: Michael S. Tsirkin, sstabellini@kernel.org, pmatouse@redhat.com,
secalert@redhat.com, g-sec-cloud, Peter Crosthwaite,
mdroth@linux.vnet.ibm.com, QEMU Developers, 李强,
qemu-stable
On 18 April 2016 at 21:50, Alistair Francis <alistair.francis@xilinx.com> wrote:
> On Mon, Apr 18, 2016 at 3:10 AM, Peter Maydell <peter.maydell@linaro.org> wrote:
>> CCing the maintainers for this device...
>>
>> On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote:
>>> cadence_uart_init() initializes an I/O memory region of size 0x1000
>>> bytes. However in uart_write(), the 'offset' parameter (offset within
>>> region) is divided by 4 and then used to index the array 'r' of size
>>> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2'
>>> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
>>> write where the offset and the value are controlled by guest.
>>>
>>> This will corrupt QEMU memory, in most situations this causes the vm to
>>> crash.
>>>
>>> Fix by checking the offset against the array size.
>>>
>>> Reported-by: 李强 <liqiang6-s@360.cn>
>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>
> Good catch.
>
> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Applied to master, thanks (so this will be in rc3). I added
a Cc: qemu-stable@nongnu.org tag too.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [engineering.redhat.com #398672] [QEMU-SECURITY] Out-of-bands write in uart_write()
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE36DC7@EX01.corp.qihoo.net>
@ 2016-04-29 13:08 ` Red Hat Product Security
0 siblings, 0 replies; 5+ messages in thread
From: Red Hat Product Security @ 2016-04-29 13:08 UTC (permalink / raw)
To: alistair.francis, liqiang6-s, mst, peter.maydell
Cc: crosthwaite.peter, g-sec-cloud, mdroth, pmatouse, qemu-devel,
qemu-stable, sstabellini
On Sun Apr 24 22:05:43 2016, liqiang6-s@360.cn wrote:
> Hi, Is there any progress in requesting CVE for this issue ?
>
> -----邮件原件-----
> 发件人: Michael S. Tsirkin [mailto:mst@redhat.com]
> 发送时间: 2016年4月18日 17:29
> 收件人: 李强
> 抄送: Peter Maydell; pmatouse@redhat.com; sstabellini@kernel.org;
> secalert@redhat.com; mdroth@linux.vnet.ibm.com
> 主题: Re: 答复: [QEMU-SECURITY] Out-of-bands write in uart_write()
>
> On Mon, Apr 18, 2016 at 09:26:22AM +0000, 李强 wrote:
> > Sure, it is not related to KVM. But I think it is a security issue
> of qemu, can this issue be assigned a CVE number ?
>
> We'll get back to you on this.
> Meanwhile, could you pls confirm you are okay with posting the patch
> on the public mailing list?
>
Michael,
have you already requested CVE or can we assign it internally? I just want to
make sure we avoid conflicts.
Thanks!
Regards,
--
Adam Mariš / Red Hat Product Security
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-04-29 13:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <RT-Ticket-398672@engineering.redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE31B34@EX01.corp.qihoo.net>
2016-04-18 10:07 ` [Qemu-devel] [PATCH] cadence_uart: bounds check write offset Michael S. Tsirkin
2016-04-18 10:10 ` Peter Maydell
2016-04-18 20:50 ` Alistair Francis
2016-04-19 10:15 ` Peter Maydell
[not found] ` <20160418081029.GA30482@redhat.com>
[not found] ` <CAFEAcA9zNW-hdTW4wK9vjCcmAjDKAcfQA+DNKra-jS2d=TLxLQ@mail.gmail.com>
[not found] ` <20160418120139-mutt-send-email-mst@redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE35B0E@EX01.corp.qihoo.net>
[not found] ` <20160418122728-mutt-send-email-mst@redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE36DC7@EX01.corp.qihoo.net>
2016-04-29 13:08 ` [Qemu-devel] [engineering.redhat.com #398672] [QEMU-SECURITY] Out-of-bands write in uart_write() Red Hat Product Security
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).