From: "Blue Swirl" <blauwirbel@gmail.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed
Date: Sat, 1 Dec 2007 19:51:52 +0200 [thread overview]
Message-ID: <f43fc5580712010951w54ea9b0al195f3379517e9bd3@mail.gmail.com> (raw)
In-Reply-To: <14101223.post@talk.nabble.com>
On 12/1/07, TeLeMan <geleman@gmail.com> wrote:
>
>
> Blue Swirl-2 wrote:
> >
> > On 11/28/07, TeLeMan <geleman@gmail.com> wrote:
> >>
> >> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes,
> >> code_gen_buffer
> >> can be overflowed. I hope this security bug will be fixed soon.
> >
> > Thank you for the analysis. It's true that cpu_gen_code does not pass
> > CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should
> > be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 -
> > 32) instructions more, so there is no security bug.
> >
> >
>
> This POC is a windows exe and was tested on QEMU v0.9.0 (Guest OS is Windows
> XP SP2).
> This overflow will overwrite the TranslationBlock buffer.
>
> http://www.nabble.com/file/p14101223/qemu-dos.rar qemu-dos.rar
I see my error, gen_intermediate_code produces ops, not host
instructions. For each op several host instructions are generated, for
Sparc32 maximum on my machine is 170 but for ARM this can be 840. In
the worst case, (512 - 32) * 840 = 403200 bytes are generated, thus a
buffer overflow is indeed possible.
I can see a few possible fixes for this.
The buffer size can be increased from 64k to 512k or the buffer can be
allocated dynamically after calculating the maximum instruction size.
OPC_BUF_SIZE can be decreased from 512 to 50.
All ops can be made smaller by introducing more helpers.
dyngen_code loop could check for buffer size.
next prev parent reply other threads:[~2007-12-01 17:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-28 3:37 [Qemu-devel] [security bug]code_gen_buffer can be overflowed TeLeMan
2007-11-30 16:04 ` Blue Swirl
2007-12-01 1:36 ` TeLeMan
2007-12-01 17:51 ` Blue Swirl [this message]
2007-12-09 8:57 ` Blue Swirl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f43fc5580712010951w54ea9b0al195f3379517e9bd3@mail.gmail.com \
--to=blauwirbel@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).