| Message ID | 20170323175851.14342-1-bobby.prani@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 03/24/2017 03:58 AM, Pranith Kumar wrote: > Sending again since I messed by pbonzini's email. > > This fixes the bug: 'user-to-root privesc inside VM via bad translation > caching' reported by Jann Horn here: > https://bugs.chromium.org/p/project-zero/issues/detail?id=1122 > > CC: Richard Henderson <rth@twiddle.net> > CC: Peter Maydell <peter.maydell@linaro.org> > CC: Paolo Bonzini <pbonzini@redhat.com> > Reported-by: Jann Horn <jannh@google.com> > Signed-off-by: Pranith Kumar <bobby.prani@gmail.com> > --- > target/i386/translate.c | 7 +++++++ > 1 file changed, 7 insertions(+) Reviewed-by: Richard Henderson <rth@twiddle.net> r~
Queued, thanks. Paolo On 23/03/2017 18:58, Pranith Kumar wrote: > Sending again since I messed by pbonzini's email. > > This fixes the bug: 'user-to-root privesc inside VM via bad translation > caching' reported by Jann Horn here: > https://bugs.chromium.org/p/project-zero/issues/detail?id=1122 > > CC: Richard Henderson <rth@twiddle.net> > CC: Peter Maydell <peter.maydell@linaro.org> > CC: Paolo Bonzini <pbonzini@redhat.com> > Reported-by: Jann Horn <jannh@google.com> > Signed-off-by: Pranith Kumar <bobby.prani@gmail.com> > --- > target/i386/translate.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/target/i386/translate.c b/target/i386/translate.c > index 72c1b03a2a..1d1372fb43 100644 > --- a/target/i386/translate.c > +++ b/target/i386/translate.c > @@ -4418,6 +4418,13 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s, > s->vex_l = 0; > s->vex_v = 0; > next_byte: > + /* x86 has an upper limit of 15 bytes for an instruction. Since we > + * do not want to decode and generate IR for an illegal > + * instruction, the following check limits the instruction size to > + * 25 bytes: 14 prefix + 1 opc + 6 (modrm+sib+ofs) + 4 imm */ > + if (s->pc - pc_start > 14) { > + goto illegal_op; > + } > b = cpu_ldub_code(env, s->pc); > s->pc++; > /* Collect prefixes. */ >
diff --git a/target/i386/translate.c b/target/i386/translate.c index 72c1b03a2a..1d1372fb43 100644 --- a/target/i386/translate.c +++ b/target/i386/translate.c @@ -4418,6 +4418,13 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s, s->vex_l = 0; s->vex_v = 0; next_byte: + /* x86 has an upper limit of 15 bytes for an instruction. Since we + * do not want to decode and generate IR for an illegal + * instruction, the following check limits the instruction size to + * 25 bytes: 14 prefix + 1 opc + 6 (modrm+sib+ofs) + 4 imm */ + if (s->pc - pc_start > 14) { + goto illegal_op; + } b = cpu_ldub_code(env, s->pc); s->pc++; /* Collect prefixes. */
Sending again since I messed by pbonzini's email. This fixes the bug: 'user-to-root privesc inside VM via bad translation caching' reported by Jann Horn here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1122 CC: Richard Henderson <rth@twiddle.net> CC: Peter Maydell <peter.maydell@linaro.org> CC: Paolo Bonzini <pbonzini@redhat.com> Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Pranith Kumar <bobby.prani@gmail.com> --- target/i386/translate.c | 7 +++++++ 1 file changed, 7 insertions(+)