Re: [PATCH v2 1/2] ait-vga: check address before reading configuration b

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 1/2] ait-vga: check address before reading configuration b

From:	Daniel P . Berrangé
Subject:	Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Date:	Thu, 4 Jun 2020 09:43:18 +0100
User-agent:	Mutt/1.13.4 (2020-02-15)

Typo: s/ait/ati/

On Thu, Jun 04, 2020 at 01:52:50AM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + size' is
> within PCI configuration space.

Please include a CVE number for this security flaw if there is
one.

> 
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/display/ati.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> Update v2: add check to avoid OOB PCI configuration space access
>   -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html
> 
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index bda4a2d816..6671959e5d 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, 
> unsigned int size)
>          val = s->regs.crtc_pitch;
>          break;
>      case 0xf00 ... 0xfff:
> -        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> +        addr = addr - 0xf00;
> +        if (addr + size <= 0xff) {
> +            val = pci_default_read_config(&s->dev, addr, size);
> +        }
>          break;
>      case CUR_OFFSET:
>          val = s->regs.cur_offset;
> -- 
> 2.26.2
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 0/2] Ensure PCI configuration access is within bounds, P J P, 2020/06/03
- [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, P J P, 2020/06/03
  - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, BALATON Zoltan, 2020/06/03
  - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, Daniel P . Berrangé <=
    - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, P J P, 2020/06/04
    - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, Michael S. Tsirkin, 2020/06/04
- [PATCH v2 2/2] pci: ensure configuration access is within bounds, P J P, 2020/06/03
  - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, BALATON Zoltan, 2020/06/03
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Gerd Hoffmann, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Michael S. Tsirkin, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, P J P, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Philippe Mathieu-Daudé, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Michael S. Tsirkin, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, BALATON Zoltan, 2020/06/04

Prev by Date: [PATCH] iotests: 194: wait migration completion on target too
Next by Date: Re: [PATCH v2] ati-vga: check mm_index before recursive call
Previous by thread: Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Next by thread: Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Index(es):
- Date
- Thread