[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 16/77] ati-vga: check mm_index before recursive call (CVE-2020-13
From: |
Michael Roth |
Subject: |
[PATCH 16/77] ati-vga: check mm_index before recursive call (CVE-2020-13800) |
Date: |
Thu, 3 Sep 2020 15:58:34 -0500 |
From: Prasad J Pandit <pjp@fedoraproject.org>
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit a98610c429d52db0937c1e48659428929835c455)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/display/ati.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/display/ati.c b/hw/display/ati.c
index 58ec8291d4..9228f1b242 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr,
unsigned int size)
if (idx <= s->vga.vram_size - size) {
val = ldn_le_p(s->vga.vram_ptr + idx, size);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
+ } else {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
}
break;
case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
if (idx <= s->vga.vram_size - size) {
stn_le_p(s->vga.vram_ptr + idx, size, data);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
+ } else {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
}
break;
case BIOS_0_SCRATCH ... BUS_CNTL - 1:
--
2.17.1
- [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10, Michael Roth, 2020/09/03
- [PATCH 09/77] virtio-balloon: unref the iothread when unrealizing, Michael Roth, 2020/09/03
- [PATCH 11/77] 9pfs: local: ignore O_NOATIME if we don't have permissions, Michael Roth, 2020/09/03
- [PATCH 10/77] block: Call attention to truncation of long NBD exports, Michael Roth, 2020/09/03
- [PATCH 13/77] xen-9pfs: Fix log messages of reply errors, Michael Roth, 2020/09/03
- [PATCH 12/77] 9pfs: include linux/limits.h for XATTR_SIZE_MAX, Michael Roth, 2020/09/03
- [PATCH 15/77] xen/9pfs: yield when there isn't enough room on the ring, Michael Roth, 2020/09/03
- [PATCH 14/77] Revert "9p: init_in_iov_from_pdu can truncate the size", Michael Roth, 2020/09/03
- [PATCH 16/77] ati-vga: check mm_index before recursive call (CVE-2020-13800),
Michael Roth <=
- [PATCH 17/77] es1370: check total frame count against current frame, Michael Roth, 2020/09/03
- [PATCH 18/77] Fix tulip breakage, Michael Roth, 2020/09/03
- [PATCH 19/77] iotests/283: Use consistent size for source and target, Michael Roth, 2020/09/03
- [PATCH 20/77] virtiofsd: add --rlimit-nofile=NUM option, Michael Roth, 2020/09/03
- [PATCH 01/77] hostmem: don't use mbind() if host-nodes is empty, Michael Roth, 2020/09/03
- [PATCH 22/77] net: use peer when purging queue in qemu_flush_or_purge_queue_packets(), Michael Roth, 2020/09/03
- [PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717), Michael Roth, 2020/09/03
- [PATCH 23/77] KVM: x86: believe what KVM says about WAITPKG, Michael Roth, 2020/09/03
- [PATCH 25/77] aio-posix: disable fdmon-io_uring when GSource is used, Michael Roth, 2020/09/03
- [PATCH 24/77] aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy(), Michael Roth, 2020/09/03