From nobody Tue May 14 15:06:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=linux.ibm.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1645514570831199.13566924706356; Mon, 21 Feb 2022 23:22:50 -0800 (PST) Received: from localhost ([::1]:34032 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nMPVZ-0002iO-4K for importer@patchew.org; Tue, 22 Feb 2022 02:22:49 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48248) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMPSE-0000O5-7J for qemu-devel@nongnu.org; Tue, 22 Feb 2022 02:19:24 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:18068) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMPSB-0002GR-7h for qemu-devel@nongnu.org; Tue, 22 Feb 2022 02:19:21 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 21M6BnE4002466; Tue, 22 Feb 2022 07:19:13 GMT Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ectbfhbgx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Feb 2022 07:19:13 +0000 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 21M6ub94006746; Tue, 22 Feb 2022 07:19:12 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ectbfhbgk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Feb 2022 07:19:12 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 21M7DKII019906; Tue, 22 Feb 2022 07:19:11 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma04dal.us.ibm.com with ESMTP id 3ear6adcdb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Feb 2022 07:19:11 +0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 21M7JAnB31392054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 22 Feb 2022 07:19:10 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 309AE112074; Tue, 22 Feb 2022 07:19:10 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 04BDB112061; Tue, 22 Feb 2022 07:19:10 +0000 (GMT) Received: from amdrome3.watson.ibm.com (unknown [9.2.130.16]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 22 Feb 2022 07:19:09 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=y7j9OqDKNtpf48x1+ELEKuZNTfJGJ6jjmIQahVV9VsA=; b=EWxGT/4Ju1kWyOY6vgCLuBDB6NL4BMyZwZjvT8Dop3vGRagKrPRq29cFe3h/HmOY6fzi S9NNnaMipAA8vXr11xOev1yrOOQ8vhlXM4jWPPw58FylOa8vxZoxSb9Ch68tHR3fYUIz DPgRr3DfILp9N+fAWVYrHnXqAfS2fYRI+eE95QvuUOigWht0xarPKIKy/ZFRXAoBdS82 S9Fqor9OGV5Me7bb1Bx1iWus7hWLzh5BGzSC8FtOdg7KCGWFLTEFRo1T8vlvb10CU2FJ ezEhiYXn6St+jZzs0dfCL9VGDlnTsy/ayy55slOe9QzoplFPZngEC9jDdYUvM5WRzogA hg== From: Dov Murik To: qemu-devel@nongnu.org Subject: [PATCH v3 1/2] hw/i386: Improve bounds checking in OVMF table parsing Date: Tue, 22 Feb 2022 07:19:05 +0000 Message-Id: <20220222071906.2632426-2-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220222071906.2632426-1-dovmurik@linux.ibm.com> References: <20220222071906.2632426-1-dovmurik@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: p_wL316xMkPKVLHkH25o3GWAQEB0nlB7 X-Proofpoint-GUID: 1d_HLhyjiemkx0svS2TycnPN3s3tQ5bN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-02-22_02,2022-02-21_02,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 spamscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 clxscore=1015 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202220040 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=dovmurik@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Habkost , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , "Michael S. Tsirkin" , James Bottomley , Richard Henderson , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , "Dr. David Alan Gilbert" , Dov Murik , Tobin Feldman-Fitzthum , Gerd Hoffmann , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1645514574044100002 Content-Type: text/plain; charset="utf-8" When pc_system_parse_ovmf_flash() parses the optional GUIDed table in the end of the OVMF flash memory area, the table length field is checked for sizes that are too small, but doesn't error on sizes that are too big (bigger than the flash content itself). Add a check for maximal size of the OVMF table, and add an error report in case the size is invalid. In such a case, an error like this will be displayed during launch: qemu-system-x86_64: OVMF table has invalid size 4047 and the table parsing is skipped. Signed-off-by: Dov Murik Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Dr. David Alan Gilbert --- hw/i386/pc_sysfw_ovmf.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c index f4dd92c588..df15c9737b 100644 --- a/hw/i386/pc_sysfw_ovmf.c +++ b/hw/i386/pc_sysfw_ovmf.c @@ -24,6 +24,7 @@ */ =20 #include "qemu/osdep.h" +#include "qemu/error-report.h" #include "hw/i386/pc.h" #include "cpu.h" =20 @@ -66,7 +67,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, size= _t flash_size) ptr -=3D sizeof(uint16_t); tot_len =3D le16_to_cpu(*(uint16_t *)ptr) - sizeof(guid) - sizeof(uint= 16_t); =20 - if (tot_len <=3D 0) { + if (tot_len < 0 || tot_len > (ptr - flash_ptr)) { + error_report("OVMF table has invalid size %d", tot_len); + return; + } + + if (tot_len =3D=3D 0) { + /* no entries in the OVMF table */ return; } =20 --=20 2.25.1 From nobody Tue May 14 15:06:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=linux.ibm.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1645514571180708.8598523071338; Mon, 21 Feb 2022 23:22:51 -0800 (PST) Received: from localhost ([::1]:34042 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nMPVZ-0002if-K1 for importer@patchew.org; Tue, 22 Feb 2022 02:22:49 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48268) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMPSH-0000OW-AP for qemu-devel@nongnu.org; Tue, 22 Feb 2022 02:19:30 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:27686) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMPSC-0002Gh-MF for qemu-devel@nongnu.org; Tue, 22 Feb 2022 02:19:23 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 21M6CxNr001001; Tue, 22 Feb 2022 07:19:16 GMT Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ectc11ath-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Feb 2022 07:19:16 +0000 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 21M6gfDH014433; Tue, 22 Feb 2022 07:19:16 GMT Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ectc11at6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Feb 2022 07:19:15 +0000 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 21M7DLT4011940; Tue, 22 Feb 2022 07:19:14 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma05wdc.us.ibm.com with ESMTP id 3ear69mdv6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Feb 2022 07:19:14 +0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 21M7JA8V40632578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 22 Feb 2022 07:19:10 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 73F9F112061; Tue, 22 Feb 2022 07:19:10 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 42212112063; Tue, 22 Feb 2022 07:19:10 +0000 (GMT) Received: from amdrome3.watson.ibm.com (unknown [9.2.130.16]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 22 Feb 2022 07:19:10 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=BoW1YohMfcyxhmq81GnutD4HG/7oCykcBmAwQwIxKmA=; b=Y0+/P2rB38lFOzrk0DGKgIRgGORzBLp4V8A8F6HB5wvpydwElEPrb6dGclGuJ1R7mYOf lOecb/EBy6OnDB9srMcLvBdVzfzq3Yu7potToY6rDPklmcq18VmSadsNtq6q4T1RXcXD neOJnegF/maVFG+JqtTjS/fFh8T6MIWx93JAnf+ulMo1y29okCwg4VbpO9ezUppEUDg6 78mgES4leYXtlQyRj0wf4wwv9j9plS/0N1AsYCiiM3x569XWE2YOByO20MabDkC6YoqH 0n8zQ3q5Hr6M3GKg0nQ+1D6xIKCPmhyNiB+lC/NpAyMWhEuPMvq9L2jJK23X6i2CZ40O mg== From: Dov Murik To: qemu-devel@nongnu.org Subject: [PATCH v3 2/2] hw/i386: Replace magic number with field length calculation Date: Tue, 22 Feb 2022 07:19:06 +0000 Message-Id: <20220222071906.2632426-3-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220222071906.2632426-1-dovmurik@linux.ibm.com> References: <20220222071906.2632426-1-dovmurik@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: EiPABOa-1PkILLK4GejOCxSDJPkMeZIk X-Proofpoint-GUID: CkQzLlfKPsyAXLj3CGXl2jJWPS2iHlW9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-02-22_02,2022-02-21_02,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1015 suspectscore=0 lowpriorityscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=897 spamscore=0 bulkscore=0 impostorscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202220040 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=dovmurik@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Habkost , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , "Michael S. Tsirkin" , James Bottomley , Richard Henderson , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , "Dr. David Alan Gilbert" , Dov Murik , Tobin Feldman-Fitzthum , Gerd Hoffmann , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1645514574041100001 Content-Type: text/plain; charset="utf-8" Replce the literal magic number 48 with length calculation (32 bytes at the end of the firmware after the table footer + 16 bytes of the OVMF table footer GUID). No functional change intended. Signed-off-by: Dov Murik Reviewed-by: Daniel P. Berrang=C3=A9 --- hw/i386/pc_sysfw_ovmf.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/hw/i386/pc_sysfw_ovmf.c b/hw/i386/pc_sysfw_ovmf.c index df15c9737b..07a4c267fa 100644 --- a/hw/i386/pc_sysfw_ovmf.c +++ b/hw/i386/pc_sysfw_ovmf.c @@ -30,6 +30,8 @@ =20 #define OVMF_TABLE_FOOTER_GUID "96b582de-1fb2-45f7-baea-a366c55a082d" =20 +static const int bytes_after_table_footer =3D 32; + static bool ovmf_flash_parsed; static uint8_t *ovmf_table; static int ovmf_table_len; @@ -53,12 +55,13 @@ void pc_system_parse_ovmf_flash(uint8_t *flash_ptr, siz= e_t flash_size) =20 /* * if this is OVMF there will be a table footer - * guid 48 bytes before the end of the flash file. If it's - * not found, silently abort the flash parsing. + * guid 48 bytes before the end of the flash file + * (=3D 32 bytes after the table + 16 bytes the GUID itself). + * If it's not found, silently abort the flash parsing. */ qemu_uuid_parse(OVMF_TABLE_FOOTER_GUID, &guid); guid =3D qemu_uuid_bswap(guid); /* guids are LE */ - ptr =3D flash_ptr + flash_size - 48; + ptr =3D flash_ptr + flash_size - (bytes_after_table_footer + sizeof(gu= id)); if (!qemu_uuid_is_equal((QemuUUID *)ptr, &guid)) { return; } --=20 2.25.1