[Qemu-devel] QEMU Various Vulnerabilities

[Qemu-devel] QEMU Various Vulnerabilities

[Kirill A. Shutemov]

[-- Attachment #1: Type: text/plain, Size: 198 bytes --]

http://secunia.com/advisories/25073/

Any comments ?

-- 
Regards,  Kirill A. Shutemov
 + Belarus, Minsk
 + Velesys LLC, http://www.velesys.com/
 + ALT Linux Team, http://www.altlinux.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Qemu-devel] QEMU Various Vulnerabilities

[malc]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 213 bytes --]

On Wed, 2 May 2007, Kirill A. Shutemov wrote:

> http://secunia.com/advisories/25073/
>
> Any comments ?

AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
SB16/DMA - in attachment

-- 
vale

[-- Attachment #2: Type: TEXT/PLAIN, Size: 1666 bytes --]

Index: hw/dma.c
===================================================================
RCS file: /cvsroot/qemu/qemu/hw/dma.c,v
retrieving revision 1.14
diff -u -r1.14 dma.c
--- hw/dma.c    21 Nov 2005 23:29:55 -0000      1.14
+++ hw/dma.c    2 May 2007 14:23:19 -0000
@@ -438,6 +438,13 @@
     write_cont (d, (0x0d << d->dshift), 0);
 }
 
+static int dma_phony_handler (void *opaque, int nchan, int dma_pos, int dma_len)
+{
+    dolog ("unregistered DMA channel used nchan=%d dma_pos=%d dma_len=%d\n",
+           nchan, dma_pos, dma_len);
+    return dma_pos;
+}
+
 /* dshift = 0: 8 bit DMA, 1 = 16 bit DMA */
 static void dma_init2(struct dma_cont *d, int base, int dshift,
                       int page_base, int pageh_base)
@@ -470,6 +477,9 @@
     }
     qemu_register_reset(dma_reset, d);
     dma_reset(d);
+    for (i = 0; i < LENOFA (d->regs); ++i) {
+        d->regs[i].transfer_handler = dma_phony_handler;
+    }
 }
 
 static void dma_save (QEMUFile *f, void *opaque)
Index: hw/sb16.c
===================================================================
RCS file: /cvsroot/qemu/qemu/hw/sb16.c,v
retrieving revision 1.23
diff -u -r1.23 sb16.c
--- hw/sb16.c   7 Apr 2007 18:14:41 -0000       1.23
+++ hw/sb16.c   2 May 2007 14:23:19 -0000
@@ -1189,6 +1189,12 @@
     SB16State *s = opaque;
     int till, copy, written, free;
 
+    if (s->block_size <= 0) {
+        dolog ("invalid block size=%d nchan=%d dma_pos=%d dma_len=%d\n",
+               s->block_size, nchan, dma_pos, dma_len);
+        return dma_pos;
+    }
+
     if (s->left_till_irq < 0) {
         s->left_till_irq = s->block_size;
     }

Re: [Qemu-devel] QEMU Various Vulnerabilities

[Kirill A. Shutemov]

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

On [Wed, 02.05.2007 18:21], malc wrote:
> On Wed, 2 May 2007, Kirill A. Shutemov wrote:
> 
> >http://secunia.com/advisories/25073/
> >
> >Any comments ?
> 
> AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
> SB16/DMA - in attachment

Thanks. Other Vulnerabilities?

-- 
Regards,  Kirill A. Shutemov
 + Belarus, Minsk
 + Velesys LLC, http://www.velesys.com/
 + ALT Linux Team, http://www.altlinux.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Qemu-devel] QEMU Various Vulnerabilities

[Juergen Lock]

In article <20070503081454.GA17577@localhost.localdomain> Kirill A. Shutemov wrote:
>On [Wed, 02.05.2007 18:21], malc wrote:
>> On Wed, 2 May 2007, Kirill A. Shutemov wrote:
>>=20
>> >http://secunia.com/advisories/25073/
>> >
>> >Any comments ?
>>=20
>> AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
>> SB16/DMA - in attachment
>
>Thanks. Other Vulnerabilities?

Yesterday I added the debian security patch (90_security.patch from
	http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz
) to the FreeBSD qemu ports (had to modify it slightly), cvsweb location
of the one for qemu 0.9.0 is here,
	http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu/files/patch-90_security
and the one for the 20070405 cvs snapshot is here,
	http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-90_security
(I haven't checked if it still applies to today's cvs, but it might :)

 I also disabled the -vmwarevga acceleration code because of the missing
range checks, cvsweb of that patch is here,
	http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-hw-vmware_vga.c

 HTH,
	Juergen

Re: [Qemu-devel] QEMU Various Vulnerabilities

[malc]

On Thu, 3 May 2007, Juergen Lock wrote:

> In article <20070503081454.GA17577@localhost.localdomain> Kirill A. Shutemov wrote:
>> On [Wed, 02.05.2007 18:21], malc wrote:
>>> On Wed, 2 May 2007, Kirill A. Shutemov wrote:
>>> =20
>>>> http://secunia.com/advisories/25073/
>>>>
>>>> Any comments ?
>>> =20
>>> AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
>>> SB16/DMA - in attachment
>>
>> Thanks. Other Vulnerabilities?
>
> Yesterday I added the debian security patch (90_security.patch from
> 	http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz
> ) to the FreeBSD qemu ports (had to modify it slightly), cvsweb location
> of the one for qemu 0.9.0 is here,
> 	http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu/files/patch-90_security
> and the one for the 20070405 cvs snapshot is here,
> 	http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-90_security
> (I haven't checked if it still applies to today's cvs, but it might :)
>
> I also disabled the -vmwarevga acceleration code because of the missing
> range checks, cvsweb of that patch is here,
> 	http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-hw-vmware_vga.c

SB16 patch is wrong - doesn't account for the fact that block_size can be
negative. As for DMA, the way it's done in the patch above is more in line
of what can (probably) be expected of real hardware, but emulators can do
better, basically the two approaches are at the extremes - the above is
way to silent while mine will be way to chatty.

-- 
vale