From: Prasad J Pandit <pjp@fedoraproject.org>
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + len' is
within PCI configuration space.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/pci/pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 70c66965f5..4429fa9401 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
pcie_sync_bridge_lnk(d);
}
- memcpy(&val, d->config + address, len);
+ if (address + len <= pci_config_size(d)) {
+ memcpy(&val, d->config + address, len);
+ }
return le32_to_cpu(val);
}
--
2.26.2
On Wed, Jun 03, 2020 at 06:10:41PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Add check to ensure 'address + len' is > within PCI configuration space. A malicious guest triggering an OOB access in the host QEMU sounds like a significant security flaw. Do we have a CVE assigned for this ? > > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/pci/pci.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 70c66965f5..4429fa9401 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d, > ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { > pcie_sync_bridge_lnk(d); > } > - memcpy(&val, d->config + address, len); > + if (address + len <= pci_config_size(d)) { > + memcpy(&val, d->config + address, len); > + } > return le32_to_cpu(val); > } > > -- > 2.26.2 > > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 6/3/20 2:40 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Add check to ensure 'address + len' is > within PCI configuration space. > > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/pci/pci.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 70c66965f5..4429fa9401 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d, > ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { > pcie_sync_bridge_lnk(d); > } > - memcpy(&val, d->config + address, len); > + if (address + len <= pci_config_size(d)) { We don't want to hide/ignore earlier bugs, so IMO the caller should check for access in range, and this function abort() as it should never been called with such arguments. > + memcpy(&val, d->config + address, len); > + } > return le32_to_cpu(val); > } > >
© 2016 - 2024 Red Hat, Inc.