Re: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash

[BALATON Zoltan]

On Sat, 22 Aug 2020, Philippe Mathieu-Daudé wrote:
> On 4/6/20 10:34 PM, BALATON Zoltan wrote:
> > In some corner cases (that never happen during normal operation but a
> > malicious guest could program wrong values) pixman functions were
> > called with parameters that result in a crash. Fix this and add more
> > checks to disallow such cases.
>
> (Fair) question on IRC. Is this patch fixing CVE-2020-24352?
>
> Public on August 14, 2020
>
> Description
>
> An out-of-bounds memory access flaw was found in the ATI VGA device
> implementation of the QEMU emulator. This flaw occurs in the
> ati_2d_blt() routine while handling MMIO write operations through the
> ati_mm_write() callback. A malicious guest could use this flaw to crash
> the QEMU process on the host, resulting in a denial of service.

Probably this patch does not fix all possible malicious register writes a 
guest could do. This was fixing problems reported earlier but then I got 
some more reports around 5.1.0 freeze about some more overruns which I 
could not yet look at and nobody else was fixing it either so it's 
possible some bugs are still left in the checks.

However this is hardly security critical as ati-vga is experimental and 
not fully implemented yet so anyone using it will likely get other 
problems (such as drivers not loading) before a guest could exploit this. 
I think QEMU only considers bugs in parts that are used for virtualisation 
via KVM as security problems so maybe this does not even need a CVE and 
could be normally reported/discussed on the mailing list.

Basically what needs to be done is go through the checks again to verify 
that we don't pass params to pixman or set_dirty that result in access 
outside the video ram area. Probably there's still an off by one error or 
some other mistake. I'll eventually may try to fix it but if anyone is 
sending a patch earlier that's welcome. I don't have much time for QEMU 
now.

Regards,
BALATON Zoltan