From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1J1Hz5-0002Zp-1h for qemu-devel@nongnu.org; Sun, 09 Dec 2007 03:57:59 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1J1Hz4-0002Yw-FU for qemu-devel@nongnu.org; Sun, 09 Dec 2007 03:57:58 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1J1Hz4-0002Yk-BX for qemu-devel@nongnu.org; Sun, 09 Dec 2007 03:57:58 -0500 Received: from nf-out-0910.google.com ([64.233.182.185]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1J1Hz3-00060R-Mj for qemu-devel@nongnu.org; Sun, 09 Dec 2007 03:57:58 -0500 Received: by nf-out-0910.google.com with SMTP id 30so828756nfu for ; Sun, 09 Dec 2007 00:57:56 -0800 (PST) Message-ID: Date: Sun, 9 Dec 2007 10:57:56 +0200 From: "Blue Swirl" Subject: Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_15786_15095492.1197190676364" References: <13985284.post@talk.nabble.com> <14101223.post@talk.nabble.com> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org ------=_Part_15786_15095492.1197190676364 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 12/1/07, Blue Swirl wrote: > On 12/1/07, TeLeMan wrote: > > > > > > Blue Swirl-2 wrote: > > > > > > On 11/28/07, TeLeMan wrote: > > >> > > >> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes, > > >> code_gen_buffer > > >> can be overflowed. I hope this security bug will be fixed soon. > > > > > > Thank you for the analysis. It's true that cpu_gen_code does not pass > > > CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should > > > be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 - > > > 32) instructions more, so there is no security bug. > > > > > > > > > > This POC is a windows exe and was tested on QEMU v0.9.0 (Guest OS is Windows > > XP SP2). > > This overflow will overwrite the TranslationBlock buffer. > > > > http://www.nabble.com/file/p14101223/qemu-dos.rar qemu-dos.rar > > I see my error, gen_intermediate_code produces ops, not host > instructions. For each op several host instructions are generated, for > Sparc32 maximum on my machine is 170 but for ARM this can be 840. In > the worst case, (512 - 32) * 840 = 403200 bytes are generated, thus a > buffer overflow is indeed possible. > > I can see a few possible fixes for this. > > The buffer size can be increased from 64k to 512k or the buffer can be > allocated dynamically after calculating the maximum instruction size. > > OPC_BUF_SIZE can be decreased from 512 to 50. > > All ops can be made smaller by introducing more helpers. > > dyngen_code loop could check for buffer size. Actually the buffer size is OK, but the safety margin was not large enough. In this patch the margin is calculated from maximum block size. GCC could calculate the maximum on compile time, but it doesn't, so the code is not optimal. Any suggestions for more advanced CPP magic to calculate the maximum of a list of constants? The patch works for Sparc target on x86_64 host. I didn't test other combinations, so especially ARM target on RISC hosts with larger generated code (ia64?) and/or smaller CODE_GEN_BUFFER_SIZE (alpha) should be checked. The maximum should not exceed the buffer size or no code can be generated. In that case, also OPC_BUF_SIZE should be decreased. Because of the security aspects, I think it's better to commit this pretty soon and not wait for the confirmation for all host/target combinations. If some combination happens to break, it can be fixed quickly. ------=_Part_15786_15095492.1197190676364 Content-Type: text/x-diff; name=fix_code_gen_of.diff Content-Transfer-Encoding: base64 X-Attachment-Id: f_f9zcdczg Content-Disposition: attachment; filename=fix_code_gen_of.diff SW5kZXg6IHFlbXUvY3B1LWV4ZWMuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBxZW11Lm9yaWcvY3B1LWV4ZWMu YwkyMDA3LTEyLTA5IDA3OjMwOjM2LjAwMDAwMDAwMCArMDAwMAorKysgcWVtdS9jcHUtZXhlYy5j CTIwMDctMTItMDkgMDc6MzI6NTYuMDAwMDAwMDAwICswMDAwCkBAIC0xMzMsNyArMTMzLDcgQEAK ICAgICB0Yi0+dGNfcHRyID0gdGNfcHRyOwogICAgIHRiLT5jc19iYXNlID0gY3NfYmFzZTsKICAg ICB0Yi0+ZmxhZ3MgPSBmbGFnczsKLSAgICBjcHVfZ2VuX2NvZGUoZW52LCB0YiwgQ09ERV9HRU5f TUFYX1NJWkUsICZjb2RlX2dlbl9zaXplKTsKKyAgICBjcHVfZ2VuX2NvZGUoZW52LCB0YiwgJmNv ZGVfZ2VuX3NpemUpOwogICAgIGNvZGVfZ2VuX3B0ciA9ICh2b2lkICopKCgodW5zaWduZWQgbG9u Zyljb2RlX2dlbl9wdHIgKyBjb2RlX2dlbl9zaXplICsgQ09ERV9HRU5fQUxJR04gLSAxKSAmIH4o Q09ERV9HRU5fQUxJR04gLSAxKSk7CiAKICAgICAvKiBjaGVjayBuZXh0IHBhZ2UgaWYgbmVlZGVk ICovCkluZGV4OiBxZW11L2V4ZWMtYWxsLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gcWVtdS5vcmlnL2V4ZWMt YWxsLmgJMjAwNy0xMi0wOSAwNzoxNDoyNC4wMDAwMDAwMDAgKzAwMDAKKysrIHFlbXUvZXhlYy1h bGwuaAkyMDA3LTEyLTA5IDA4OjAzOjU3LjAwMDAwMDAwMCArMDAwMApAQCAtNjQsOCArNjQsOSBA QAogaW50IGdlbl9pbnRlcm1lZGlhdGVfY29kZShDUFVTdGF0ZSAqZW52LCBzdHJ1Y3QgVHJhbnNs YXRpb25CbG9jayAqdGIpOwogaW50IGdlbl9pbnRlcm1lZGlhdGVfY29kZV9wYyhDUFVTdGF0ZSAq ZW52LCBzdHJ1Y3QgVHJhbnNsYXRpb25CbG9jayAqdGIpOwogdm9pZCBkdW1wX29wcyhjb25zdCB1 aW50MTZfdCAqb3BjX2J1ZiwgY29uc3QgdWludDMyX3QgKm9wcGFyYW1fYnVmKTsKK3Vuc2lnbmVk IGxvbmcgY29kZV9nZW5fbWF4X2Jsb2NrX3NpemUodm9pZCk7CiBpbnQgY3B1X2dlbl9jb2RlKENQ VVN0YXRlICplbnYsIHN0cnVjdCBUcmFuc2xhdGlvbkJsb2NrICp0YiwKLSAgICAgICAgICAgICAg ICAgaW50IG1heF9jb2RlX3NpemUsIGludCAqZ2VuX2NvZGVfc2l6ZV9wdHIpOworICAgICAgICAg ICAgICAgICBpbnQgKmdlbl9jb2RlX3NpemVfcHRyKTsKIGludCBjcHVfcmVzdG9yZV9zdGF0ZShz dHJ1Y3QgVHJhbnNsYXRpb25CbG9jayAqdGIsCiAgICAgICAgICAgICAgICAgICAgICAgQ1BVU3Rh dGUgKmVudiwgdW5zaWduZWQgbG9uZyBzZWFyY2hlZF9wYywKICAgICAgICAgICAgICAgICAgICAg ICB2b2lkICpwdWMpOwpAQCAtOTQsNyArOTUsNiBAQAogICAgIHJldHVybiB0bGJfc2V0X3BhZ2Vf ZXhlYyhlbnYsIHZhZGRyLCBwYWRkciwgcHJvdCwgbW11X2lkeCwgaXNfc29mdG1tdSk7CiB9CiAK LSNkZWZpbmUgQ09ERV9HRU5fTUFYX1NJWkUgICAgICAgIDY1NTM2CiAjZGVmaW5lIENPREVfR0VO X0FMSUdOICAgICAgICAgICAxNiAvKiBtdXN0IGJlID49IG9mIHRoZSBzaXplIG9mIGEgaWNhY2hl IGxpbmUgKi8KIAogI2RlZmluZSBDT0RFX0dFTl9QSFlTX0hBU0hfQklUUyAgICAgMTUKSW5kZXg6 IHFlbXUvZXhlYy5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHFlbXUub3JpZy9leGVjLmMJMjAwNy0xMi0wOSAw NzoxMzo0My4wMDAwMDAwMDAgKzAwMDAKKysrIHFlbXUvZXhlYy5jCTIwMDctMTItMDkgMDc6NTg6 NTMuMDAwMDAwMDAwICswMDAwCkBAIC01Niw3ICs1Niw3IEBACiAjZW5kaWYKIAogLyogdGhyZXNo b2xkIHRvIGZsdXNoIHRoZSB0cmFuc2xhdGVkIGNvZGUgYnVmZmVyICovCi0jZGVmaW5lIENPREVf R0VOX0JVRkZFUl9NQVhfU0laRSAoQ09ERV9HRU5fQlVGRkVSX1NJWkUgLSBDT0RFX0dFTl9NQVhf U0laRSkKKyNkZWZpbmUgQ09ERV9HRU5fQlVGRkVSX01BWF9TSVpFIChDT0RFX0dFTl9CVUZGRVJf U0laRSAtIGNvZGVfZ2VuX21heF9ibG9ja19zaXplKCkpCiAKICNkZWZpbmUgU01DX0JJVE1BUF9V U0VfVEhSRVNIT0xEIDEwCiAKQEAgLTYyMiw3ICs2MjIsNyBAQAogICAgIHRiLT5jc19iYXNlID0g Y3NfYmFzZTsKICAgICB0Yi0+ZmxhZ3MgPSBmbGFnczsKICAgICB0Yi0+Y2ZsYWdzID0gY2ZsYWdz OwotICAgIGNwdV9nZW5fY29kZShlbnYsIHRiLCBDT0RFX0dFTl9NQVhfU0laRSwgJmNvZGVfZ2Vu X3NpemUpOworICAgIGNwdV9nZW5fY29kZShlbnYsIHRiLCAmY29kZV9nZW5fc2l6ZSk7CiAgICAg Y29kZV9nZW5fcHRyID0gKHZvaWQgKikoKCh1bnNpZ25lZCBsb25nKWNvZGVfZ2VuX3B0ciArIGNv ZGVfZ2VuX3NpemUgKyBDT0RFX0dFTl9BTElHTiAtIDEpICYgfihDT0RFX0dFTl9BTElHTiAtIDEp KTsKIAogICAgIC8qIGNoZWNrIG5leHQgcGFnZSBpZiBuZWVkZWQgKi8KSW5kZXg6IHFlbXUvdHJh bnNsYXRlLWFsbC5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHFlbXUub3JpZy90cmFuc2xhdGUtYWxsLmMJMjAw Ny0xMi0wOSAwNzoxMzo0OS4wMDAwMDAwMDAgKzAwMDAKKysrIHFlbXUvdHJhbnNsYXRlLWFsbC5j CTIwMDctMTItMDkgMDg6MjU6MDcuMDAwMDAwMDAwICswMDAwCkBAIC0xMzIsMTQgKzEzMiwyNyBA QAogICAgIH0KIH0KIAordW5zaWduZWQgbG9uZyBjb2RlX2dlbl9tYXhfYmxvY2tfc2l6ZSh2b2lk KQoreworICAgIHN0YXRpYyB1bnNpZ25lZCBsb25nIG1heDsKKworICAgIGlmIChtYXggPT0gMCkg eworI2RlZmluZSBERUYocywgbiwgY29weV9zaXplKSBtYXggPSBjb3B5X3NpemUgPiBtYXg/IGNv cHlfc2l6ZSA6IG1heDsKKyNpbmNsdWRlICJvcGMuaCIKKyN1bmRlZiBERUYKKyAgICAgICAgbWF4 ICo9IE9QQ19NQVhfU0laRTsKKyAgICB9CisKKyAgICByZXR1cm4gbWF4OworfQorCiAvKiByZXR1 cm4gbm9uIHplcm8gaWYgdGhlIHZlcnkgZmlyc3QgaW5zdHJ1Y3Rpb24gaXMgaW52YWxpZCBzbyB0 aGF0CiAgICB0aGUgdmlydHVhbCBDUFUgY2FuIHRyaWdnZXIgYW4gZXhjZXB0aW9uLgogCiAgICAn Kmdlbl9jb2RlX3NpemVfcHRyJyBjb250YWlucyB0aGUgc2l6ZSBvZiB0aGUgZ2VuZXJhdGVkIGNv ZGUgKGhvc3QKICAgIGNvZGUpLgogKi8KLWludCBjcHVfZ2VuX2NvZGUoQ1BVU3RhdGUgKmVudiwg VHJhbnNsYXRpb25CbG9jayAqdGIsCi0gICAgICAgICAgICAgICAgIGludCBtYXhfY29kZV9zaXpl LCBpbnQgKmdlbl9jb2RlX3NpemVfcHRyKQoraW50IGNwdV9nZW5fY29kZShDUFVTdGF0ZSAqZW52 LCBUcmFuc2xhdGlvbkJsb2NrICp0YiwgaW50ICpnZW5fY29kZV9zaXplX3B0cikKIHsKICAgICB1 aW50OF90ICpnZW5fY29kZV9idWY7CiAgICAgaW50IGdlbl9jb2RlX3NpemU7Cg== ------=_Part_15786_15095492.1197190676364--