From: Prasad J Pandit <pjp@fedoraproject.org>
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid it.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/display/ati.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Update v2: add check before recursive call
-> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
diff --git a/hw/display/ati.c b/hw/display/ati.c
index 065f197678..bda4a2d816 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
if (idx <= s->vga.vram_size - size) {
val = ldn_le_p(s->vga.vram_ptr + idx, size);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
}
break;
@@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
if (idx <= s->vga.vram_size - size) {
stn_le_p(s->vga.vram_ptr + idx, size, data);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
}
break;
--
2.26.2
On 6/3/20 8:55 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While accessing VGA registers via ati_mm_read/write routines, > a guest may set 's->regs.mm_index' such that it leads to infinite > recursion. Check mm_index value to avoid it. > > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/display/ati.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > Update v2: add check before recursive call > -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html > > diff --git a/hw/display/ati.c b/hw/display/ati.c > index 065f197678..bda4a2d816 100644 > --- a/hw/display/ati.c > +++ b/hw/display/ati.c > @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) > if (idx <= s->vga.vram_size - size) { > val = ldn_le_p(s->vga.vram_ptr + idx, size); > } > - } else { > + } else if (s->regs.mm_index > MM_DATA + 3) { > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); We usually log unexpected guest accesses with: } else { qemu_log_mask(LOG_GUEST_ERROR, ... > } > break; > @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr, > if (idx <= s->vga.vram_size - size) { > stn_le_p(s->vga.vram_ptr + idx, size, data); > } > - } else { > + } else if (s->regs.mm_index > MM_DATA + 3) { > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); Ditto: } else { qemu_log_mask(LOG_GUEST_ERROR, ... > } > break; >
On Thu, 4 Jun 2020, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While accessing VGA registers via ati_mm_read/write routines, > a guest may set 's->regs.mm_index' such that it leads to infinite > recursion. Check mm_index value to avoid it. > > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> therefore I think this should work but someone else should give Reviewed-by to cross check this. Regards, BALATON Zoltan > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/display/ati.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > Update v2: add check before recursive call > -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html > > diff --git a/hw/display/ati.c b/hw/display/ati.c > index 065f197678..bda4a2d816 100644 > --- a/hw/display/ati.c > +++ b/hw/display/ati.c > @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) > if (idx <= s->vga.vram_size - size) { > val = ldn_le_p(s->vga.vram_ptr + idx, size); > } > - } else { > + } else if (s->regs.mm_index > MM_DATA + 3) { > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); > } > break; > @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr, > if (idx <= s->vga.vram_size - size) { > stn_le_p(s->vga.vram_ptr + idx, size, data); > } > - } else { > + } else if (s->regs.mm_index > MM_DATA + 3) { > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); > } > break; >
On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While accessing VGA registers via ati_mm_read/write routines, > a guest may set 's->regs.mm_index' such that it leads to infinite > recursion. Check mm_index value to avoid it. So this is a denial of service security issue. Is there any CVE assigned for this ? > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/display/ati.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > Update v2: add check before recursive call > -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html > > diff --git a/hw/display/ati.c b/hw/display/ati.c > index 065f197678..bda4a2d816 100644 > --- a/hw/display/ati.c > +++ b/hw/display/ati.c > @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) > if (idx <= s->vga.vram_size - size) { > val = ldn_le_p(s->vga.vram_ptr + idx, size); > } > - } else { > + } else if (s->regs.mm_index > MM_DATA + 3) { > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); > } > break; > @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr, > if (idx <= s->vga.vram_size - size) { > stn_le_p(s->vga.vram_ptr + idx, size, data); > } > - } else { > + } else if (s->regs.mm_index > MM_DATA + 3) { > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); > } > break; > -- > 2.26.2 > > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
+-- On Wed, 3 Jun 2020, Philippe Mathieu-Daudé wrote --+ | > - } else { | > + } else if (s->regs.mm_index > MM_DATA + 3) { | > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); | | We usually log unexpected guest accesses with: | | } else { | qemu_log_mask(LOG_GUEST_ERROR, ... | | > - } else { | > + } else if (s->regs.mm_index > MM_DATA + 3) { | > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); | | Ditto: | | } else { | qemu_log_mask(LOG_GUEST_ERROR, ... +-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+ | On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote: | > While accessing VGA registers via ati_mm_read/write routines, | > a guest may set 's->regs.mm_index' such that it leads to infinite | > recursion. Check mm_index value to avoid it. | | So this is a denial of service security issue. Is there any CVE | assigned for this ? Yes, just sent a revised patch v3 with above changes and CVE-ID. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
© 2016 - 2024 Red Hat, Inc.