From patchwork Fri Oct 18 15:04:01 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Bonzini X-Patchwork-Id: 3068231 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 587809F243 for ; Fri, 18 Oct 2013 15:04:36 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F0F712037D for ; Fri, 18 Oct 2013 15:04:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D23F72051D for ; Fri, 18 Oct 2013 15:04:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756000Ab3JRPEY (ORCPT ); Fri, 18 Oct 2013 11:04:24 -0400 Received: from mail-qc0-f179.google.com ([209.85.216.179]:37519 "EHLO mail-qc0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755707Ab3JRPEX (ORCPT ); Fri, 18 Oct 2013 11:04:23 -0400 Received: by mail-qc0-f179.google.com with SMTP id k18so518055qcv.10 for ; Fri, 18 Oct 2013 08:04:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=chxiigQufJ0ZhILM4Z4YJEVjybWaEpaLalX3Sc/gQVg=; b=mpLUe2GYPzohiRtxHn7GSce5KYvp821apozEb6LqwaVZJC/SrNOPK/aasA3g5OBOZ2 FYyjPamW/90MzZTsiJjus+zkKmQLKiMffhxi0SjvJBQ/UEXqj5C8l29ljFk7dwWoOhbP XDwle4Dg0dBIQtrWEgKJ3XjFHXU1k+mdqI0pnZ3Xxbnx7e9WCMe0wi/qJET+FKyZpvyk UMJlTaDzYMb3GAXv1UtNT992L1S4yQDTznxjp/v2a3TMwZE5tP/0oE9X6aEAnvzdl6LH yAhjjXYv2LeVkhJcnHm/nZ5QfVkcejzQBTWYOSYNH6amfhyZv2T8HSArHyfpOWjsjTDl bW/g== X-Received: by 10.49.0.208 with SMTP id 16mr4598040qeg.25.1382108662078; Fri, 18 Oct 2013 08:04:22 -0700 (PDT) Received: from yakj.usersys.redhat.com (net-37-116-196-7.cust.dsl.vodafone.it. [37.116.196.7]) by mx.google.com with ESMTPSA id g2sm6174298qaf.12.2013.10.18.08.04.20 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Oct 2013 08:04:21 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Cc: gleb@redhat.com, kvm@vger.kernel.org, Jan Kiszka Subject: [PULL 3/3] kvmvapic: Prevent reading beyond the end of guest RAM Date: Fri, 18 Oct 2013 17:04:01 +0200 Message-Id: <1382108641-4862-4-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1382108641-4862-1-git-send-email-pbonzini@redhat.com> References: <1382108641-4862-1-git-send-email-pbonzini@redhat.com> Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Jan Kiszka rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) + writen 16-bit value) and can be influenced to point beyond the end of the host memory backing the guest's RAM. Make sure we do not use this pointer to actually read beyond the limits. Reading arbitrary guest bytes is harmless, the guest kernel has to manage access to this I/O port anyway. Signed-off-by: Jan Kiszka Acked-by: Michael S. Tsirkin Signed-off-by: Gleb Natapov --- hw/i386/kvmvapic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c index 1c2dbf5..2d87600 100644 --- a/hw/i386/kvmvapic.c +++ b/hw/i386/kvmvapic.c @@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s) section = memory_region_find(as, 0, 1); /* read ROM size from RAM region */ + if (rom_paddr + 2 >= memory_region_size(section.mr)) { + return -1; + } ram = memory_region_get_ram_ptr(section.mr); rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE; if (rom_size == 0) {