From: Prasad J Pandit <pjp@fedoraproject.org>
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid it.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/display/ati.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Update v2: add check before recursive call
-> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
diff --git a/hw/display/ati.c b/hw/display/ati.c
index 065f197678..bda4a2d816 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
if (idx <= s->vga.vram_size - size) {
val = ldn_le_p(s->vga.vram_ptr + idx, size);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
}
break;
@@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
if (idx <= s->vga.vram_size - size) {
stn_le_p(s->vga.vram_ptr + idx, size, data);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
}
break;
--
2.26.2
On 6/3/20 8:55 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While accessing VGA registers via ati_mm_read/write routines,
> a guest may set 's->regs.mm_index' such that it leads to infinite
> recursion. Check mm_index value to avoid it.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Update v2: add check before recursive call
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 065f197678..bda4a2d816 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> if (idx <= s->vga.vram_size - size) {
> val = ldn_le_p(s->vga.vram_ptr + idx, size);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
We usually log unexpected guest accesses with:
} else {
qemu_log_mask(LOG_GUEST_ERROR, ...
> }
> break;
> @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
> if (idx <= s->vga.vram_size - size) {
> stn_le_p(s->vga.vram_ptr + idx, size, data);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
Ditto:
} else {
qemu_log_mask(LOG_GUEST_ERROR, ...
> }
> break;
>
On Thu, 4 Jun 2020, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While accessing VGA registers via ati_mm_read/write routines,
> a guest may set 's->regs.mm_index' such that it leads to infinite
> recursion. Check mm_index value to avoid it.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
therefore I think this should work but someone else should give
Reviewed-by to cross check this.
Regards,
BALATON Zoltan
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Update v2: add check before recursive call
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 065f197678..bda4a2d816 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> if (idx <= s->vga.vram_size - size) {
> val = ldn_le_p(s->vga.vram_ptr + idx, size);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
> }
> break;
> @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
> if (idx <= s->vga.vram_size - size) {
> stn_le_p(s->vga.vram_ptr + idx, size, data);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
> }
> break;
>
On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While accessing VGA registers via ati_mm_read/write routines,
> a guest may set 's->regs.mm_index' such that it leads to infinite
> recursion. Check mm_index value to avoid it.
So this is a denial of service security issue. Is there any CVE
assigned for this ?
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Update v2: add check before recursive call
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 065f197678..bda4a2d816 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
> if (idx <= s->vga.vram_size - size) {
> val = ldn_le_p(s->vga.vram_ptr + idx, size);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
> }
> break;
> @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr,
> if (idx <= s->vga.vram_size - size) {
> stn_le_p(s->vga.vram_ptr + idx, size, data);
> }
> - } else {
> + } else if (s->regs.mm_index > MM_DATA + 3) {
> ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
> }
> break;
> --
> 2.26.2
>
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
+-- On Wed, 3 Jun 2020, Philippe Mathieu-Daudé wrote --+
| > - } else {
| > + } else if (s->regs.mm_index > MM_DATA + 3) {
| > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
|
| We usually log unexpected guest accesses with:
|
| } else {
| qemu_log_mask(LOG_GUEST_ERROR, ...
|
| > - } else {
| > + } else if (s->regs.mm_index > MM_DATA + 3) {
| > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
|
| Ditto:
|
| } else {
| qemu_log_mask(LOG_GUEST_ERROR, ...
+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
| > While accessing VGA registers via ati_mm_read/write routines,
| > a guest may set 's->regs.mm_index' such that it leads to infinite
| > recursion. Check mm_index value to avoid it.
|
| So this is a denial of service security issue. Is there any CVE
| assigned for this ?
Yes, just sent a revised patch v3 with above changes and CVE-ID.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
© 2016 - 2026 Red Hat, Inc.