[Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrup

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrup

From:	Thomas Huth
Subject:	[Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Date:	Fri, 30 Apr 2021 08:16:32 -0000

Fix has been included here:
https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bd

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353

Title:
  QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID

Status in QEMU:
  Fix Released

Bug description:
  Via [qemu-security] list

  +-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
  | On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
  | > Per the ARM Generic Interrupt Controller Architecture specification
  | > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
  | > not 10:
  | >
  | >    - Table 4-21 GICD_SGIR bit assignments
  | >
  | >    The Interrupt ID of the SGI to forward to the specified CPU
  | >    interfaces. The value of this field is the Interrupt ID, in
  | >    the range 0-15, for example a value of 0b0011 specifies
  | >    Interrupt ID 3.
  | >
  ...
  | > Correct the irq mask to fix an undefined behavior (which eventually
  | > lead to a heap-buffer-overflow, see [Buglink]):
  | >
  | >    $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M 
virt,accel=qtest -qtest stdio
  | >    [I 1612088147.116987] OPENED
  | >  [R +0.278293] writel 0x8000f00 0xff4affb0
  | >  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for 
type 'uint8_t [16][8]'
  | >  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../hw/intc/arm_gic.c:1498:13
  | >
  | > Cc: qemu-stable@nongnu.org
  | > Fixes: 9ee6e8bb853 ("ARMv7 support.")
  | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
  | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
  ...

  On 210202 1221, Peter Maydell wrote:
  > In both cases the overrun is on the first writel to 0x8000f00,
  > but the fuzzer has for some reason not reported that but instead
  > blundered on until it happens to trigger some other issue that
  > resulted from the memory corruption it induced with the first write.
  >
  ...
  > On the CVE:
  >
  > Since this can affect systems using KVM, this is a security bug for
  > us. However, it only affects an uncommon configuration:
  > you are only vulnerable if you are using "kernel-irqchip=off"
  > (the default is 'on', and turning it off is an odd thing to do).
  >
  > thanks
  > -- PMM
  >

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID, Thomas Huth <=

Prev by Date: [Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
Next by Date: [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
Previous by thread: [Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
Next by thread: [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
Index(es):
- Date
- Thread