[v1] tcg/i386: Check the size of instruction being translated

[Qemu-devel] [PATCH] tcg/i386: Check the size of instruction being translated

Posted by Pranith Kumar 7 years ago

Sending again since I messed by pbonzini's email.

This fixes the bug: 'user-to-root privesc inside VM via bad translation
caching' reported by Jann Horn here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1122

CC: Richard Henderson <rth@twiddle.net>
CC: Peter Maydell <peter.maydell@linaro.org>
CC: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
---
 target/i386/translate.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/target/i386/translate.c b/target/i386/translate.c
index 72c1b03a2a..1d1372fb43 100644
--- a/target/i386/translate.c
+++ b/target/i386/translate.c
@@ -4418,6 +4418,13 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s,
     s->vex_l = 0;
     s->vex_v = 0;
  next_byte:
+    /* x86 has an upper limit of 15 bytes for an instruction. Since we
+     * do not want to decode and generate IR for an illegal
+     * instruction, the following check limits the instruction size to
+     * 25 bytes: 14 prefix + 1 opc + 6 (modrm+sib+ofs) + 4 imm */
+    if (s->pc - pc_start > 14) {
+        goto illegal_op;
+    }
     b = cpu_ldub_code(env, s->pc);
     s->pc++;
     /* Collect prefixes.  */
-- 
2.11.0

Re: [Qemu-devel] [PATCH] tcg/i386: Check the size of instruction being translated

Posted by Richard Henderson 7 years ago

On 03/24/2017 03:58 AM, Pranith Kumar wrote:
> Sending again since I messed by pbonzini's email.
>
> This fixes the bug: 'user-to-root privesc inside VM via bad translation
> caching' reported by Jann Horn here:
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1122
>
> CC: Richard Henderson <rth@twiddle.net>
> CC: Peter Maydell <peter.maydell@linaro.org>
> CC: Paolo Bonzini <pbonzini@redhat.com>
> Reported-by: Jann Horn <jannh@google.com>
> Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
> ---
>  target/i386/translate.c | 7 +++++++
>  1 file changed, 7 insertions(+)

Reviewed-by: Richard Henderson <rth@twiddle.net>


r~

Re: [Qemu-devel] [PATCH] tcg/i386: Check the size of instruction being translated

Posted by Paolo Bonzini 7 years ago

Queued, thanks.

Paolo

On 23/03/2017 18:58, Pranith Kumar wrote:
> Sending again since I messed by pbonzini's email.
> 
> This fixes the bug: 'user-to-root privesc inside VM via bad translation
> caching' reported by Jann Horn here:
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1122
> 
> CC: Richard Henderson <rth@twiddle.net>
> CC: Peter Maydell <peter.maydell@linaro.org>
> CC: Paolo Bonzini <pbonzini@redhat.com>
> Reported-by: Jann Horn <jannh@google.com>
> Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
> ---
>  target/i386/translate.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/target/i386/translate.c b/target/i386/translate.c
> index 72c1b03a2a..1d1372fb43 100644
> --- a/target/i386/translate.c
> +++ b/target/i386/translate.c
> @@ -4418,6 +4418,13 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s,
>      s->vex_l = 0;
>      s->vex_v = 0;
>   next_byte:
> +    /* x86 has an upper limit of 15 bytes for an instruction. Since we
> +     * do not want to decode and generate IR for an illegal
> +     * instruction, the following check limits the instruction size to
> +     * 25 bytes: 14 prefix + 1 opc + 6 (modrm+sib+ofs) + 4 imm */
> +    if (s->pc - pc_start > 14) {
> +        goto illegal_op;
> +    }
>      b = cpu_ldub_code(env, s->pc);
>      s->pc++;
>      /* Collect prefixes.  */
>