From: P J P <ppandit@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Huawei PSIRT <PSIRT@huawei.com>
Subject: Re: [Qemu-devel] [PATCH] scsi: esp: check TI buffer index before read/write
Date: Tue, 31 May 2016 10:50:57 +0530 (IST) [thread overview]
Message-ID: <alpine.LFD.2.20.1605311026320.12102@wniryva> (raw)
In-Reply-To: <CAFEAcA8LQ4AQ=-FYpDoNuHB8OWOF+nrBeAvsUPeQc-UTTGng0g@mail.gmail.com>
Hello Peter,
+-- On Mon, 30 May 2016, Peter Maydell wrote --+
| > + } else if (s->ti_rptr < TI_BUFSZ) {
| > s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
| > + } else {
| > + trace_esp_error_fifo_overrun();
|
| Isn't this an underrun, not an overrun?
OOB read occurs when 's->ti_rptr' exceeds 'TI_BUFSZ'.
| In any case, something weird seems to be going on here:
| it looks like the amount of data in the fifo should be
| constrained by ti_size (which we're already checking), so
| when can we get into a situation where ti_rptr can
| get beyond the buffer size? It seems to me that we should
| fix whatever that underlying bug is, and then have an
| assert() on ti_rptr here.
|
| > - } else if (s->ti_size == TI_BUFSZ - 1) {
| > + } else if (s->ti_wptr == TI_BUFSZ - 1) {
| > trace_esp_error_fifo_overrun();
|
| Similarly, this looks odd -- the ti_size check should be
| sufficient if the rest of the code is correctly managing
| the ti_size/ti_wptr/ti_rptr values.
Both issues occur as guest could control the value of 's->ti_size' by
alternating between 'esp_reg_write(, ESP_FIFO, )' & 'esp_reg_read(, ESP_FIFO)'
calls. One increases 's->ti_size' and other descreases the same.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
next prev parent reply other threads:[~2016-05-31 5:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-30 18:58 [Qemu-devel] [PATCH] scsi: esp: check TI buffer index before read/write P J P
2016-05-30 20:06 ` Peter Maydell
2016-05-31 5:20 ` P J P [this message]
2016-05-31 7:58 ` Peter Maydell
2016-05-31 11:38 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1605311026320.12102@wniryva \
--to=ppandit@redhat.com \
--cc=PSIRT@huawei.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).