diff mbox series

i2c: pm_smbus: check smb_index before block transfer write

Message ID 20181206084816.30485-1-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show
Series i2c: pm_smbus: check smb_index before block transfer write | expand

Commit Message

Prasad Pandit Dec. 6, 2018, 8:48 a.m. UTC
From: Prasad J Pandit <pjp@fedoraproject.org>

While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.

Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/i2c/pm_smbus.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

li qiang Dec. 6, 2018, 9:02 a.m. UTC | #1
在 2018/12/6 16:48, P J P 写道:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>   hw/i2c/pm_smbus.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
> index 685a2378ed..03062740cc 100644
> --- a/hw/i2c/pm_smbus.c
> +++ b/hw/i2c/pm_smbus.c
> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
>               uint8_t read = s->smb_addr & 0x01;
>   
>               s->smb_index++;
> +            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
> +                s->smb_index = 0;
> +            }
>               if (!read && s->smb_index == s->smb_data0) {
>                   uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>                   uint8_t cmd = s->smb_cmd;

Oh... Finally another one find this.....

I've already found this. This is very a serious security issue.

I have wrote a full exploit to make a VM escape using this vulnerability.

This guest can read/write a 4G memory of qemu process by default 
configuration.

As far as I know, this vulnerability may be the most serious 
vulnerability of the qemu history.

Please pay a lot of attention for this issue.

Later I will release the full paper and exploit. It's not harm as this 
is introduced in 3.1

and no one use it now.


Thanks,

Li Qiang
Igor Mammedov Dec. 6, 2018, 9:48 a.m. UTC | #2
On Thu,  6 Dec 2018 14:18:16 +0530
P J P <ppandit@redhat.com> wrote:

> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
> 
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Peter,
is it possible for fix to make into 3.1?

> ---
>  hw/i2c/pm_smbus.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
> index 685a2378ed..03062740cc 100644
> --- a/hw/i2c/pm_smbus.c
> +++ b/hw/i2c/pm_smbus.c
> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
>              uint8_t read = s->smb_addr & 0x01;
>  
>              s->smb_index++;
> +            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
> +                s->smb_index = 0;
> +            }
>              if (!read && s->smb_index == s->smb_data0) {
>                  uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>                  uint8_t cmd = s->smb_cmd;
Igor Mammedov Dec. 6, 2018, 9:58 a.m. UTC | #3
On Thu,  6 Dec 2018 14:18:16 +0530
P J P <ppandit@redhat.com> wrote:

> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
> 
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
pls squash in:

Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability

> ---
>  hw/i2c/pm_smbus.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
> index 685a2378ed..03062740cc 100644
> --- a/hw/i2c/pm_smbus.c
> +++ b/hw/i2c/pm_smbus.c
> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
>              uint8_t read = s->smb_addr & 0x01;
>  
>              s->smb_index++;
> +            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
> +                s->smb_index = 0;
> +            }
>              if (!read && s->smb_index == s->smb_data0) {
>                  uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>                  uint8_t cmd = s->smb_cmd;
Peter Maydell Dec. 6, 2018, 10:14 a.m. UTC | #4
On Thu, 6 Dec 2018 at 09:48, Igor Mammedov <imammedo@redhat.com> wrote:
>
> On Thu,  6 Dec 2018 14:18:16 +0530
> P J P <ppandit@redhat.com> wrote:
>
> > From: Prasad J Pandit <pjp@fedoraproject.org>
> >
> > While performing block transfer write in smb_ioport_writeb(),
> > 'smb_index' is incremented and used to index smb_data[] array.
> > Check 'smb_index' value to avoid OOB access.
> >
> > Reported-by: Michael Hanselmann <public@hansmi.ch>
> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> Reviewed-by: Igor Mammedov <imammedo@redhat.com>
>
> Peter,
> is it possible for fix to make into 3.1?

This question would have been much better asked on Tuesday...

thanks
-- PMM
li qiang Dec. 6, 2018, 10:14 a.m. UTC | #5
FYI:

http://terenceli.github.io/%E6%8A%80%E6%9C%AF/2018/12/06/qemu-escape


在 2018/12/6 17:02, li qiang 写道:
> 在 2018/12/6 16:48, P J P 写道:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> While performing block transfer write in smb_ioport_writeb(),
>> 'smb_index' is incremented and used to index smb_data[] array.
>> Check 'smb_index' value to avoid OOB access.
>>
>> Reported-by: Michael Hanselmann <public@hansmi.ch>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>> ---
>>    hw/i2c/pm_smbus.c | 3 +++
>>    1 file changed, 3 insertions(+)
>>
>> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
>> index 685a2378ed..03062740cc 100644
>> --- a/hw/i2c/pm_smbus.c
>> +++ b/hw/i2c/pm_smbus.c
>> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
>>                uint8_t read = s->smb_addr & 0x01;
>>    
>>                s->smb_index++;
>> +            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
>> +                s->smb_index = 0;
>> +            }
>>                if (!read && s->smb_index == s->smb_data0) {
>>                    uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>>                    uint8_t cmd = s->smb_cmd;
> Oh... Finally another one find this.....
>
> I've already found this. This is very a serious security issue.
>
> I have wrote a full exploit to make a VM escape using this vulnerability.
>
> This guest can read/write a 4G memory of qemu process by default
> configuration.
>
> As far as I know, this vulnerability may be the most serious
> vulnerability of the qemu history.
>
> Please pay a lot of attention for this issue.
>
> Later I will release the full paper and exploit. It's not harm as this
> is introduced in 3.1
>
> and no one use it now.
>
>
> Thanks,
>
> Li Qiang
>
>
>
>
Peter Maydell Dec. 6, 2018, 10:16 a.m. UTC | #6
On Thu, 6 Dec 2018 at 09:10, li qiang <liq3ea@outlook.com> wrote:
> Oh... Finally another one find this.....
>
> I've already found this. This is very a serious security issue.

If you find a security issue, we would appreciate it if
you let us know, rather than just waiting to see if
anybody else notices it...

thanks
-- PMM
li qiang Dec. 6, 2018, 10:34 a.m. UTC | #7
在 2018/12/6 18:16, Peter Maydell 写道:
> On Thu, 6 Dec 2018 at 09:10, li qiang<liq3ea@outlook.com>  wrote:
>> Oh... Finally another one find this.....
>>
>> I've already found this. This is very a serious security issue.
> If you find a security issue, we would appreciate it if
> you let us know, rather than just waiting to see if
> anybody else notices it...

I'm sorry for that.

To be perfect, I'm currently trying to write an exp for i440fx.

I intend report it after completing it.

Thanks,
Li Qiang


> thanks
> -- PMM
Peter Maydell Dec. 6, 2018, 10:46 a.m. UTC | #8
On Thu, 6 Dec 2018 at 10:34, li qiang <liq3ea@outlook.com> wrote:
>
>
> 在 2018/12/6 18:16, Peter Maydell 写道:
> > On Thu, 6 Dec 2018 at 09:10, li qiang<liq3ea@outlook.com>  wrote:
> >> Oh... Finally another one find this.....
> >>
> >> I've already found this. This is very a serious security issue.
> > If you find a security issue, we would appreciate it if
> > you let us know, rather than just waiting to see if
> > anybody else notices it...
>
> I'm sorry for that.
>
> To be perfect, I'm currently trying to write an exp for i440fx.
>
> I intend report it after completing it.

Is that an exploit for this bug, or for some other bug?
It's OK (and we recommend) reporting security issues as
"I think this is probably exploitable"; we don't require
a proof-of-concept for security bugs.

thanks
-- PMM
Li Qiang Dec. 6, 2018, 10:59 a.m. UTC | #9
Peter Maydell <peter.maydell@linaro.org> 于2018年12月6日周四 下午6:46写道:

> On Thu, 6 Dec 2018 at 10:34, li qiang <liq3ea@outlook.com> wrote:
> >
> >
> > 在 2018/12/6 18:16, Peter Maydell 写道:
> > > On Thu, 6 Dec 2018 at 09:10, li qiang<liq3ea@outlook.com>  wrote:
> > >> Oh... Finally another one find this.....
> > >>
> > >> I've already found this. This is very a serious security issue.
> > > If you find a security issue, we would appreciate it if
> > > you let us know, rather than just waiting to see if
> > > anybody else notices it...
> >
> > I'm sorry for that.
> >
> > To be perfect, I'm currently trying to write an exp for i440fx.
> >
> > I intend report it after completing it.
>
> Is that an exploit for this bug, or for some other bug?


Just for this. But for now still no exp for i440fx.


> It's OK (and we recommend) reporting security issues as
> "I think this is probably exploitable"; we don't require
> a proof-of-concept for security bugs.
>

Yes, I know that, but as this issue is so good to write a perfect exploit
so I want to do more.

I know the qemu planing and know this issue doesn't affect anyone.
I want to do a perfect work.



Thanks,
Li Qiang


>
> thanks
> -- PMM
>
Peter Maydell Dec. 6, 2018, 11:05 a.m. UTC | #10
On Thu, 6 Dec 2018 at 11:00, Li Qiang <liq3ea@gmail.com> wrote:
> Yes, I know that, but as this issue is so good to write a perfect exploit
> so I want to do more.
>
> I know the qemu planing and know this issue doesn't affect anyone.
> I want to do a perfect work.

The problem is that it does affect other people, because if
Michael hadn't happened to also notice this bug then we would
have released 3.1 next Tuesday with the bug still present.
As it is we'll need to do an extra rc5, which we could have
avoided if we'd known about this bug earlier, on Monday or Tuesday.

thanks
-- PMM
Prasad Pandit Dec. 6, 2018, 11:08 a.m. UTC | #11
+-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
| > From: Prasad J Pandit <pjp@fedoraproject.org>
| > 
| > While performing block transfer write in smb_ioport_writeb(),
| > 'smb_index' is incremented and used to index smb_data[] array.
| > Check 'smb_index' value to avoid OOB access.
| > 
| > Reported-by: Michael Hanselmann <public@hansmi.ch>
| > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
| pls squash in:
| 
| Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability

Do we need patch v2, or it can be done while merging it?

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Li Qiang Dec. 6, 2018, 11:12 a.m. UTC | #12
Peter Maydell <peter.maydell@linaro.org> 于2018年12月6日周四 下午7:05写道:

> On Thu, 6 Dec 2018 at 11:00, Li Qiang <liq3ea@gmail.com> wrote:
> > Yes, I know that, but as this issue is so good to write a perfect exploit
> > so I want to do more.
> >
> > I know the qemu planing and know this issue doesn't affect anyone.
> > I want to do a perfect work.
>
> The problem is that it does affect other people, because if
> Michael hadn't happened to also notice this bug then we would
> have released 3.1 next Tuesday with the bug still present.
> As it is we'll need to do an extra rc5, which we could have
> avoided if we'd known about this bug earlier, on Monday or Tuesday.
>

OK, next time I will report it directly like what I did before.

Thanks,
Li Qiang


>
> thanks
> -- PMM
>
Peter Maydell Dec. 6, 2018, 11:13 a.m. UTC | #13
On Thu, 6 Dec 2018 at 11:12, Li Qiang <liq3ea@gmail.com> wrote:
> OK, next time I will report it directly like what I did before.

Thank you -- I appreciate that.

-- PMM
Peter Maydell Dec. 6, 2018, 11:19 a.m. UTC | #14
On Thu, 6 Dec 2018 at 11:10, P J P <ppandit@redhat.com> wrote:
>
> +-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
> | > From: Prasad J Pandit <pjp@fedoraproject.org>
> | >
> | > While performing block transfer write in smb_ioport_writeb(),
> | > 'smb_index' is incremented and used to index smb_data[] array.
> | > Check 'smb_index' value to avoid OOB access.
> | >
> | > Reported-by: Michael Hanselmann <public@hansmi.ch>
> | > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> | pls squash in:
> |
> | Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability
>
> Do we need patch v2, or it can be done while merging it?

I can add in the Fixes line when I apply the patch to master.

It would be good if we could get some Reviewed-by: tags as well.

I think my current view is that we should apply this today,
and tag rc5 this afternoon (or maybe tomorrow?), and do the
final release on schedule on Tuesday.

Is there anything else in the pipeline that should go in rc5?

thanks
-- PMM
Peter Maydell Dec. 6, 2018, 11:22 a.m. UTC | #15
On Thu, 6 Dec 2018 at 11:19, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Thu, 6 Dec 2018 at 11:10, P J P <ppandit@redhat.com> wrote:
> >
> > +-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
> > | > From: Prasad J Pandit <pjp@fedoraproject.org>
> > | >
> > | > While performing block transfer write in smb_ioport_writeb(),
> > | > 'smb_index' is incremented and used to index smb_data[] array.
> > | > Check 'smb_index' value to avoid OOB access.
> > | >
> > | > Reported-by: Michael Hanselmann <public@hansmi.ch>
> > | > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> > | pls squash in:
> > |
> > | Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability
> >
> > Do we need patch v2, or it can be done while merging it?
>
> I can add in the Fixes line when I apply the patch to master.

Oh, I think we should also add to the commit message something
along the lines of:

"Note that this bug is exploitable by a guest to escape
from the virtual machine. However the commit which
introduced the bug was only made after the 3.0 release,
and so it is not present in any released QEMU version."

to clarify that this is a serious bug but also that it's
not one that will be affecting anybody's production systems.

thanks
-- PMM
li qiang Dec. 6, 2018, 11:33 a.m. UTC | #16
在 2018/12/6 16:48, P J P 写道:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Reviewed-by: Li Qiang <liq3ea@gmail.com>

> ---
>   hw/i2c/pm_smbus.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
> index 685a2378ed..03062740cc 100644
> --- a/hw/i2c/pm_smbus.c
> +++ b/hw/i2c/pm_smbus.c
> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
>               uint8_t read = s->smb_addr & 0x01;
>   
>               s->smb_index++;
> +            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
> +                s->smb_index = 0;
> +            }
>               if (!read && s->smb_index == s->smb_data0) {
>                   uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>                   uint8_t cmd = s->smb_cmd;
Michael Hanselmann Dec. 6, 2018, 11:35 a.m. UTC | #17
On 06.12.18 09:48, P J P wrote:
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Reviewed-by: Michael Hanselmann <public@hansmi.ch>

Best regards,
Michael
Prasad Pandit Dec. 6, 2018, 12:04 p.m. UTC | #18
+-- On Thu, 6 Dec 2018, Peter Maydell wrote --+
| > > Do we need patch v2, or it can be done while merging it?
| >
| > I can add in the Fixes line when I apply the patch to master.
| 
| Oh, I think we should also add to the commit message something
| along the lines of:
| 
| "Note that this bug is exploitable by a guest to escape
| from the virtual machine. However the commit which
| introduced the bug was only made after the 3.0 release,
| and so it is not present in any released QEMU version."
| 
| to clarify that this is a serious bug but also that it's
| not one that will be affecting anybody's production systems.

Okay, preparing patch v2...
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Prasad Pandit Dec. 6, 2018, 12:22 p.m. UTC | #19
+-- On Thu, 6 Dec 2018, P J P wrote --+
| | to clarify that this is a serious bug but also that it's
| | not one that will be affecting anybody's production systems.
| 
| Okay, preparing patch v2...

Sent revised patch
  [PATCH v1] i2c: pm_smbus: check smb_index before block transfer write

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Michael Hanselmann Dec. 6, 2018, 8:16 p.m. UTC | #20
On 06.12.18 09:48, P J P wrote:
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
> 
> Reported-by: Michael Hanselmann <public@hansmi.ch>

Considering that Li Qiang had already published his exploit for a couple
of hours (at the time of writing the URL is returning an HTTP 404 though
I'd seen it earlier) and with the patch being public I decided to also
publish my report:

https://hansmi.ch/articles/2018-12-qemu-pm-smbus-oob

I'd like to thank Prasad and his colleagues at Red Hat for the quick
response to my report (patch committed within less than 18 hours).

Best regards,
Michael
diff mbox series

Patch

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 685a2378ed..03062740cc 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -240,6 +240,9 @@  static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
             uint8_t read = s->smb_addr & 0x01;
 
             s->smb_index++;
+            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
+                s->smb_index = 0;
+            }
             if (!read && s->smb_index == s->smb_data0) {
                 uint8_t prot = (s->smb_ctl >> 2) & 0x07;
                 uint8_t cmd = s->smb_cmd;