1. Patchew
  2. QEMU
  3. [PATCH v2 0/2] Ensure PCI configuration access is within bounds
  4. View patch

[PATCH v2 1/2] ait-vga: check address before reading configuration bytes

P J P posted 2 patches 5 years, 8 months ago
[PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Posted by P J P 5 years, 8 months ago 
From: Prasad J Pandit <pjp@fedoraproject.org>

While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + size' is
within PCI configuration space.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/display/ati.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Update v2: add check to avoid OOB PCI configuration space access
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html

diff --git a/hw/display/ati.c b/hw/display/ati.c
index bda4a2d816..6671959e5d 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
         val = s->regs.crtc_pitch;
         break;
     case 0xf00 ... 0xfff:
-        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
+        addr = addr - 0xf00;
+        if (addr + size <= 0xff) {
+            val = pci_default_read_config(&s->dev, addr, size);
+        }
         break;
     case CUR_OFFSET:
         val = s->regs.cur_offset;
-- 
2.26.2
Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Posted by BALATON Zoltan 5 years, 8 months ago 
On Thu, 4 Jun 2020, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + size' is
> within PCI configuration space.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/ati.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> Update v2: add check to avoid OOB PCI configuration space access
>  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index bda4a2d816..6671959e5d 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
>         val = s->regs.crtc_pitch;
>         break;
>     case 0xf00 ... 0xfff:
> -        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> +        addr = addr - 0xf00;

I'd write this as addr -= 0xf00 but modifying addr here breaks the trace 
print out at end of function so better drop this line and do

if (addr + size <= 0xfff) {

instead. Or is that really (addr + size - 1 <= 0xfff) considering that 
reading the last byte with addr = 0xfff size = 1 should probably be valid.

Regards,
BALATON Zoltan

> +        if (addr + size <= 0xff) {
> +            val = pci_default_read_config(&s->dev, addr, size);
> +        }
>         break;
>     case CUR_OFFSET:
>         val = s->regs.cur_offset;
>
Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Posted by Daniel P. Berrangé 5 years, 8 months ago 
Typo: s/ait/ati/

On Thu, Jun 04, 2020 at 01:52:50AM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + size' is
> within PCI configuration space.

Please include a CVE number for this security flaw if there is
one.

> 
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/display/ati.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> Update v2: add check to avoid OOB PCI configuration space access
>   -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html
> 
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index bda4a2d816..6671959e5d 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
>          val = s->regs.crtc_pitch;
>          break;
>      case 0xf00 ... 0xfff:
> -        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
> +        addr = addr - 0xf00;
> +        if (addr + size <= 0xff) {
> +            val = pci_default_read_config(&s->dev, addr, size);
> +        }
>          break;
>      case CUR_OFFSET:
>          val = s->regs.cur_offset;
> -- 
> 2.26.2
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Posted by P J P 5 years, 8 months ago 
  Hello Phil,

+-- On Thu, 4 Jun 2020, Philippe Mathieu-Daudé wrote --+
| >> @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
| >> +    assert(address + len <= pci_config_size(d));
| 
| Yes, maybe I was not clear while reviewing v1, we need to audit the
| callers and fix them first, then we can safely add the assert here.

That's an elaborate task. Could we please make that into another patch series?

+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 01:52:50AM +0530, P J P wrote:
| > While reading PCI configuration bytes, a guest may send an
| > address towards the end of the configuration space. It may lead
| > to an OOB access issue. Add check to ensure 'address + size' is
| > within PCI configuration space.
| 
| Please include a CVE number for this security flaw if there is
| one.

Yes. For now I'll send a revised patch to fix this ati-vga OOB access issue.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Posted by Michael S. Tsirkin 5 years, 8 months ago 
On Thu, Jun 04, 2020 at 02:48:59PM +0530, P J P wrote:
>   Hello Phil,
> 
> +-- On Thu, 4 Jun 2020, Philippe Mathieu-Daudé wrote --+
> | >> @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
> | >> +    assert(address + len <= pci_config_size(d));
> | 
> | Yes, maybe I was not clear while reviewing v1, we need to audit the
> | callers and fix them first, then we can safely add the assert here.
> 
> That's an elaborate task. Could we please make that into another patch series?

So let's make this a separate patch as defence in depth in case
there are more bugs somewhere. Patch 1 is a CVE fix. Patch 2
is not.

> +-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
> | On Thu, Jun 04, 2020 at 01:52:50AM +0530, P J P wrote:
> | > While reading PCI configuration bytes, a guest may send an
> | > address towards the end of the configuration space. It may lead
> | > to an OOB access issue. Add check to ensure 'address + size' is
> | > within PCI configuration space.
> | 
> | Please include a CVE number for this security flaw if there is
> | one.
> 
> Yes. For now I'll send a revised patch to fix this ati-vga OOB access issue.
> 
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.