* [Qemu-devel] [PATCH] cadence_uart: bounds check write offset [not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE31B34@EX01.corp.qihoo.net> @ 2016-04-18 10:07 ` Michael S. Tsirkin 2016-04-18 10:10 ` Peter Maydell [not found] ` <20160418081029.GA30482@redhat.com> 1 sibling, 1 reply; 5+ messages in thread From: Michael S. Tsirkin @ 2016-04-18 10:07 UTC (permalink / raw) To: Peter Maydell, qemu-devel Cc: 李强, pmatouse@redhat.com, sstabellini@kernel.org, secalert@redhat.com, mdroth@linux.vnet.ibm.com, g-sec-cloud cadence_uart_init() initializes an I/O memory region of size 0x1000 bytes. However in uart_write(), the 'offset' parameter (offset within region) is divided by 4 and then used to index the array 'r' of size CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory write where the offset and the value are controlled by guest. This will corrupt QEMU memory, in most situations this causes the vm to crash. Fix by checking the offset against the array size. Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index 486591b..7977878 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset, DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value); offset >>= 2; + if (offset >= CADENCE_UART_R_MAX) { + return; + } switch (offset) { case R_IER: /* ier (wts imr) */ s->r[R_IMR] |= value; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset 2016-04-18 10:07 ` [Qemu-devel] [PATCH] cadence_uart: bounds check write offset Michael S. Tsirkin @ 2016-04-18 10:10 ` Peter Maydell 2016-04-18 20:50 ` Alistair Francis 0 siblings, 1 reply; 5+ messages in thread From: Peter Maydell @ 2016-04-18 10:10 UTC (permalink / raw) To: Michael S. Tsirkin Cc: QEMU Developers, 李强, pmatouse@redhat.com, sstabellini@kernel.org, secalert@redhat.com, mdroth@linux.vnet.ibm.com, g-sec-cloud, Alistair Francis, Peter Crosthwaite CCing the maintainers for this device... On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote: > cadence_uart_init() initializes an I/O memory region of size 0x1000 > bytes. However in uart_write(), the 'offset' parameter (offset within > region) is divided by 4 and then used to index the array 'r' of size > CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' > exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory > write where the offset and the value are controlled by guest. > > This will corrupt QEMU memory, in most situations this causes the vm to > crash. > > Fix by checking the offset against the array size. > > Reported-by: 李强 <liqiang6-s@360.cn> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > --- > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index 486591b..7977878 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset, > > DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value); > offset >>= 2; > + if (offset >= CADENCE_UART_R_MAX) { > + return; > + } > switch (offset) { > case R_IER: /* ier (wts imr) */ > s->r[R_IMR] |= value; thanks -- PMM ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset 2016-04-18 10:10 ` Peter Maydell @ 2016-04-18 20:50 ` Alistair Francis 2016-04-19 10:15 ` Peter Maydell 0 siblings, 1 reply; 5+ messages in thread From: Alistair Francis @ 2016-04-18 20:50 UTC (permalink / raw) To: Peter Maydell Cc: Michael S. Tsirkin, sstabellini@kernel.org, pmatouse@redhat.com, secalert@redhat.com, g-sec-cloud, Peter Crosthwaite, mdroth@linux.vnet.ibm.com, QEMU Developers, 李强, Alistair Francis On Mon, Apr 18, 2016 at 3:10 AM, Peter Maydell <peter.maydell@linaro.org> wrote: > CCing the maintainers for this device... > > On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote: >> cadence_uart_init() initializes an I/O memory region of size 0x1000 >> bytes. However in uart_write(), the 'offset' parameter (offset within >> region) is divided by 4 and then used to index the array 'r' of size >> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' >> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory >> write where the offset and the value are controlled by guest. >> >> This will corrupt QEMU memory, in most situations this causes the vm to >> crash. >> >> Fix by checking the offset against the array size. >> >> Reported-by: 李强 <liqiang6-s@360.cn> >> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Good catch. Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Thanks, Alistair >> >> --- >> >> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c >> index 486591b..7977878 100644 >> --- a/hw/char/cadence_uart.c >> +++ b/hw/char/cadence_uart.c >> @@ -375,6 +375,9 @@ static void uart_write(void *opaque, hwaddr offset, >> >> DB_PRINT(" offset:%x data:%08x\n", (unsigned)offset, (unsigned)value); >> offset >>= 2; >> + if (offset >= CADENCE_UART_R_MAX) { >> + return; >> + } >> switch (offset) { >> case R_IER: /* ier (wts imr) */ >> s->r[R_IMR] |= value; > > thanks > -- PMM > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] cadence_uart: bounds check write offset 2016-04-18 20:50 ` Alistair Francis @ 2016-04-19 10:15 ` Peter Maydell 0 siblings, 0 replies; 5+ messages in thread From: Peter Maydell @ 2016-04-19 10:15 UTC (permalink / raw) To: Alistair Francis Cc: Michael S. Tsirkin, sstabellini@kernel.org, pmatouse@redhat.com, secalert@redhat.com, g-sec-cloud, Peter Crosthwaite, mdroth@linux.vnet.ibm.com, QEMU Developers, 李强, qemu-stable On 18 April 2016 at 21:50, Alistair Francis <alistair.francis@xilinx.com> wrote: > On Mon, Apr 18, 2016 at 3:10 AM, Peter Maydell <peter.maydell@linaro.org> wrote: >> CCing the maintainers for this device... >> >> On 18 April 2016 at 11:07, Michael S. Tsirkin <mst@redhat.com> wrote: >>> cadence_uart_init() initializes an I/O memory region of size 0x1000 >>> bytes. However in uart_write(), the 'offset' parameter (offset within >>> region) is divided by 4 and then used to index the array 'r' of size >>> CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' >>> exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory >>> write where the offset and the value are controlled by guest. >>> >>> This will corrupt QEMU memory, in most situations this causes the vm to >>> crash. >>> >>> Fix by checking the offset against the array size. >>> >>> Reported-by: 李强 <liqiang6-s@360.cn> >>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > Good catch. > > Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Applied to master, thanks (so this will be in rc3). I added a Cc: qemu-stable@nongnu.org tag too. -- PMM ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <20160418081029.GA30482@redhat.com>]
[parent not found: <CAFEAcA9zNW-hdTW4wK9vjCcmAjDKAcfQA+DNKra-jS2d=TLxLQ@mail.gmail.com>]
[parent not found: <20160418120139-mutt-send-email-mst@redhat.com>]
[parent not found: <143C0AFC63FC204CB0C55BB88F3A8ABBE35B0E@EX01.corp.qihoo.net>]
[parent not found: <20160418122728-mutt-send-email-mst@redhat.com>]
[parent not found: <143C0AFC63FC204CB0C55BB88F3A8ABBE36DC7@EX01.corp.qihoo.net>]
* [Qemu-devel] [engineering.redhat.com #398672] [QEMU-SECURITY] Out-of-bands write in uart_write() [not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE36DC7@EX01.corp.qihoo.net> @ 2016-04-29 13:08 ` Red Hat Product Security 0 siblings, 0 replies; 5+ messages in thread From: Red Hat Product Security @ 2016-04-29 13:08 UTC (permalink / raw) To: alistair.francis, liqiang6-s, mst, peter.maydell Cc: crosthwaite.peter, g-sec-cloud, mdroth, pmatouse, qemu-devel, qemu-stable, sstabellini On Sun Apr 24 22:05:43 2016, liqiang6-s@360.cn wrote: > Hi, Is there any progress in requesting CVE for this issue ? > > -----邮件原件----- > 发件人: Michael S. Tsirkin [mailto:mst@redhat.com] > 发送时间: 2016年4月18日 17:29 > 收件人: 李强 > 抄送: Peter Maydell; pmatouse@redhat.com; sstabellini@kernel.org; > secalert@redhat.com; mdroth@linux.vnet.ibm.com > 主题: Re: 答复: [QEMU-SECURITY] Out-of-bands write in uart_write() > > On Mon, Apr 18, 2016 at 09:26:22AM +0000, 李强 wrote: > > Sure, it is not related to KVM. But I think it is a security issue > of qemu, can this issue be assigned a CVE number ? > > We'll get back to you on this. > Meanwhile, could you pls confirm you are okay with posting the patch > on the public mailing list? > Michael, have you already requested CVE or can we assign it internally? I just want to make sure we avoid conflicts. Thanks! Regards, -- Adam Mariš / Red Hat Product Security ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-04-29 13:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <RT-Ticket-398672@engineering.redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE31B34@EX01.corp.qihoo.net>
2016-04-18 10:07 ` [Qemu-devel] [PATCH] cadence_uart: bounds check write offset Michael S. Tsirkin
2016-04-18 10:10 ` Peter Maydell
2016-04-18 20:50 ` Alistair Francis
2016-04-19 10:15 ` Peter Maydell
[not found] ` <20160418081029.GA30482@redhat.com>
[not found] ` <CAFEAcA9zNW-hdTW4wK9vjCcmAjDKAcfQA+DNKra-jS2d=TLxLQ@mail.gmail.com>
[not found] ` <20160418120139-mutt-send-email-mst@redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE35B0E@EX01.corp.qihoo.net>
[not found] ` <20160418122728-mutt-send-email-mst@redhat.com>
[not found] ` <143C0AFC63FC204CB0C55BB88F3A8ABBE36DC7@EX01.corp.qihoo.net>
2016-04-29 13:08 ` [Qemu-devel] [engineering.redhat.com #398672] [QEMU-SECURITY] Out-of-bands write in uart_write() Red Hat Product Security
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).