[96/97] hw/core/loader: Fix possible crash in rom_copy()

Message ID	20191001234616.7825-97-mdroth@linux.vnet.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=rCvs=X3=nongnu.org=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EA98C20842 From: Michael Roth <mdroth@linux.vnet.ibm.com> To: qemu-devel@nongnu.org Subject: [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy() Date: Tue, 1 Oct 2019 18:46:15 -0500 Message-Id: <20191001234616.7825-97-mdroth@linux.vnet.ibm.com> In-Reply-To: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com> References: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com> Precedence: list Cc: Thomas Huth <thuth@redhat.com>, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	Patch Round-up for stable 4.0.1, freeze on 2019-10-10 \| expand [00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10 [01/97] qcow2: Avoid COW during metadata preallocation [02/97] qcow2: Add errp to preallocate_co() [03/97] qcow2: Fix full preallocation with external data file [04/97] megasas: fix mapped frame size [05/97] qcow2: Fix qcow2_make_empty() with external data file [06/97] block: Fix AioContext switch for bs->drv == NULL [07/97] cutils: Fix size_to_str() on 32-bit platforms [08/97] Makefile: add nit-picky mode to sphinx-build [09/97] docs/interop/bitmaps: rewrite and modernize doc [10/97] spapr/xive: fix EQ page addresses above 64GB [11/97] kbd-state: fix autorepeat handling [12/97] usb-tablet: fix serial compat property [13/97] block/file-posix: Unaligned O_DIRECT block-status [14/97] iotests: Test unaligned raw images with O_DIRECT [15/97] s390x/cpumodel: ignore csske for expansion [16/97] blockdev-backup: don't check aio_context too early [17/97] block: Drain source node in bdrv_replace_node() [18/97] iotests: Test commit job start with concurrent I/O [19/97] iotests.py: do not use infinite waits [20/97] QEMUMachine: add events_wait method [21/97] iotests.py: Fix VM.run_job [22/97] iotests.py: rewrite run_job to be pickier [23/97] iotests: add iotest 256 for testing blockdev-backup across iothread contexts [24/97] migration/dirty-bitmaps: change bitmap enumeration method [25/97] vhost: fix vhost_log size overflow during migration [26/97] target/ppc: Fix xvabs[sd]p, xvnabs[sd]p, xvneg[sd]p, xvcpsgn[sd]p [27/97] target/ppc: Fix xvxsigdp [28/97] target/ppc: Fix xxbrq, xxbrw [29/97] target/ppc: Fix vsum2sws [30/97] target/ppc: Fix lxvw4x, lxvh8x and lxvb16x [31/97] q35: Revert to kernel irqchip [32/97] vl: Fix -drive / -blockdev persistent reservation management [33/97] target/i386: add MDS-NO feature [34/97] target/i386: define md-clear bit [35/97] docs: recommend use of md-clear feature on all Intel CPUs [36/97] virtio-pci: fix missing device properties [37/97] usbredir: fix buffer-overflow on vmload [38/97] virtio-balloon: fix QEMU 4.0 config size migration incompatibility [39/97] docs/interop/bitmaps.rst: Fix typos [40/97] sphinx: add qmp_lexer [41/97] docs/bitmaps: use QMP lexer instead of json [42/97] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs [43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory [44/97] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] [45/97] ioapic: kvm: Skip route updates for masked pins [46/97] i386/acpi: show PCI Express bus on pxb-pcie expanders [47/97] virtio-balloon: Fix wrong sign extension of PFNs [48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE [49/97] virtio-balloon: Simplify deflate with pbp [50/97] virtio-balloon: Better names for offset variables in inflate/deflate code [51/97] virtio-balloon: Rework pbp tracking data [52/97] virtio-balloon: Use temporary PBP only [53/97] virtio-balloon: don't track subpages for the PBP [54/97] virtio-balloon: free pbp more aggressively [55/97] i386/acpi: fix gint overflow in crs_range_compare [56/97] tpm: Exit in reset when backend indicates failure [57/97] tpm_emulator: Translate TPM error codes to strings [58/97] block/backup: simplify backup_incremental_init_copy_bitmap [59/97] block/backup: move to copy_bitmap with granularity [60/97] block/backup: refactor and tolerate unallocated cluster skipping [61/97] block/backup: unify different modes code path [62/97] block/backup: refactor: split out backup_calculate_cluster_size [63/97] backup: Copy only dirty areas [64/97] iotests: Test backup job with two guest writes [65/97] util/hbitmap: update orig_size on truncate [66/97] iotests: Test incremental backup after truncation [67/97] mirror: Only mirror granularity-aligned chunks [68/97] iotests: Test unaligned blocking mirror write [69/97] block/backup: disable copy_range for compressed backup [70/97] Revert "ide/ahci: Check for -ECANCELED in aio callbacks" [71/97] qcow2: Fix the calculation of the maximum L2 cache size [72/97] dma-helpers: ensure AIO callback is invoked after cancellation [73/97] target/arm: Don't abort on M-profile exception return in linux-user mode [74/97] xen-bus: Fix backend state transition on device reset [75/97] pr-manager: Fix invalid g_free() crash bug [76/97] iotests: add testing shim for script-style python tests [77/97] vpc: Return 0 from vpc_co_create() on success [78/97] iotests: Add supported protocols to execute_test() [79/97] iotests: Restrict file Python tests to file [80/97] iotests: Restrict nbd Python tests to nbd [81/97] iotests: Test blockdev-create for vpc [82/97] libvhost-user: fix SLAVE_SEND_FD handling [83/97] block/create: Do not abort if a block driver is not available [84/97] block/nfs: tear down aio before nfs_close [85/97] blockjob: update nodes head while removing all bdrv [86/97] curl: Keep pointer to the CURLState in CURLSocket [87/97] curl: Keep *socket until the end of curl_sock_cb() [88/97] curl: Check completion in curl_multi_do() [89/97] curl: Pass CURLSocket to curl_multi_do() [90/97] curl: Report only ready sockets [91/97] curl: Handle success in multi_check_completion [92/97] curl: Check curl_multi_add_handle()'s return code [93/97] slirp: Fix heap overflow in ip_reass on big packet input [94/97] slirp: ip_reass: Fix use after free [95/97] s390: PCI: fix IOMMU region init [96/97] hw/core/loader: Fix possible crash in rom_copy() [97/97] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)

Message ID

20191001234616.7825-97-mdroth@linux.vnet.ibm.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EA98C20842
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Subject: [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy()
Date: Tue,  1 Oct 2019 18:46:15 -0500
Message-Id: <20191001234616.7825-97-mdroth@linux.vnet.ibm.com>
In-Reply-To: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com>
References: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com>
Precedence: list
Cc: Thomas Huth <thuth@redhat.com>, qemu-stable@nongnu.org
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Series

Patch Round-up for stable 4.0.1, freeze on 2019-10-10 | expand

Commit Message

Michael Roth Oct. 1, 2019, 11:46 p.m. UTC

From: Thomas Huth <thuth@redhat.com>

Both, "rom->addr" and "addr" are derived from the binary image
that can be loaded with the "-kernel" paramer. The code in
rom_copy() then calculates:

    d = dest + (rom->addr - addr);

and uses "d" as destination in a memcpy() some lines later. Now with
bad kernel images, it is possible that rom->addr is smaller than addr,
thus "rom->addr - addr" gets negative and the memcpy() then tries to
copy contents from the image to a bad memory location. This could
maybe be used to inject code from a kernel image into the QEMU binary,
so we better fix it with an additional sanity check here.

Cc: qemu-stable@nongnu.org
Reported-by: Guangming Liu
Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
Message-Id: <20190925130331.27825-1-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit e423455c4f23a1a828901c78fe6d03b7dde79319)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/core/loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index fe5cb24122..4ef2095247 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -1240,7 +1240,7 @@  int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
         if (rom->addr + rom->romsize < addr) {
             continue;
         }
-        if (rom->addr > end) {
+        if (rom->addr > end || rom->addr < addr) {
             break;
         }