| Message ID | 20200603124041.1137464-1-ppandit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | pci: check address before reading configuration bytes | expand |
On Wed, Jun 03, 2020 at 06:10:41PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Add check to ensure 'address + len' is > within PCI configuration space. A malicious guest triggering an OOB access in the host QEMU sounds like a significant security flaw. Do we have a CVE assigned for this ? > > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/pci/pci.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 70c66965f5..4429fa9401 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d, > ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { > pcie_sync_bridge_lnk(d); > } > - memcpy(&val, d->config + address, len); > + if (address + len <= pci_config_size(d)) { > + memcpy(&val, d->config + address, len); > + } > return le32_to_cpu(val); > } > > -- > 2.26.2 > > Regards, Daniel
On 6/3/20 2:40 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Add check to ensure 'address + len' is > within PCI configuration space. > > Reported-by: Ren Ding <rding@gatech.edu> > Reported-by: Hanqing Zhao <hanqing@gatech.edu> > Reported-by: Yi Ren <c4tren@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/pci/pci.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 70c66965f5..4429fa9401 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d, > ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { > pcie_sync_bridge_lnk(d); > } > - memcpy(&val, d->config + address, len); > + if (address + len <= pci_config_size(d)) { We don't want to hide/ignore earlier bugs, so IMO the caller should check for access in range, and this function abort() as it should never been called with such arguments. > + memcpy(&val, d->config + address, len); > + } > return le32_to_cpu(val); > } > >
diff --git a/hw/pci/pci.c b/hw/pci/pci.c index 70c66965f5..4429fa9401 100644 --- a/hw/pci/pci.c +++ b/hw/pci/pci.c @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d, ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { pcie_sync_bridge_lnk(d); } - memcpy(&val, d->config + address, len); + if (address + len <= pci_config_size(d)) { + memcpy(&val, d->config + address, len); + } return le32_to_cpu(val); }