Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigge

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigge

From:	Marc-André Lureau
Subject:	Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Date:	Fri, 15 Feb 2019 11:59:34 +0100

Hi

On Thu, Feb 14, 2019 at 9:20 PM Philippe Mathieu-Daudé
<address@hidden> wrote:
>
> The right side of the comparison is the return value of can_read():
> VSCARD_IN_SIZE - card->vscard_in_pos.
> Since the 'size' argument of chardev::read() is bound to
> what chardev::can_read() returns, this condition can never happen.

I think so too, because vscard_in_pos is unchanged between the 2
callbacks (or set to 0 in break event).

>
> Add an assertion, which will always fail if card->vscard_in_pos >=
> VSCARD_IN_SIZE), since size > 0.

If "size > VSCARD_IN_SIZE - card->vscard_in_pos" this is a chardev
bug. But which backend does that?

Iow, did we ever reach the "no room for data" error?

>
> This is a quick fix for CVE-2018-18438 "Integer overflow in
> ccid_card_vscard_read() allows memory corruption".

I have a hard time to find how that memory corruption can happen. It
would be a broken chardev (one calling qemu_chr_be_write() with a size
bigger than qemu_chr_be_can_write()). It would need to be fixed. But
which one does that?

>
> Fixes: CVE-2018-18438
> Reported-by: Arash Tohidi Chafi <address@hidden>
> Suggested-by: Paolo Bonzini <address@hidden>
> Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
> ---
>  hw/usb/ccid-card-passthru.c | 14 +-------------
>  1 file changed, 1 insertion(+), 13 deletions(-)
>
> diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
> index 8bb1314f49..1676b5fc05 100644
> --- a/hw/usb/ccid-card-passthru.c
> +++ b/hw/usb/ccid-card-passthru.c
> @@ -264,24 +264,12 @@ static void 
> ccid_card_vscard_handle_message(PassthruState *card,
>      }
>  }
>
> -static void ccid_card_vscard_drop_connection(PassthruState *card)
> -{
> -    qemu_chr_fe_deinit(&card->cs, true);
> -    card->vscard_in_pos = card->vscard_in_hdr = 0;
> -}
> -
>  static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, int size)
>  {
>      PassthruState *card = opaque;
>      VSCMsgHeader *hdr;
>
> -    if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
> -        error_report("no room for data: pos %u +  size %d > %" PRId64 "."
> -                     " dropping connection.",
> -                     card->vscard_in_pos, size, VSCARD_IN_SIZE);
> -        ccid_card_vscard_drop_connection(card);
> -        return;
> -    }
> +    assert(size <= VSCARD_IN_SIZE - card->vscard_in_pos);
>      assert(card->vscard_in_hdr < VSCARD_IN_SIZE);
>      memcpy(card->vscard_in_data + card->vscard_in_pos, buf, size);
>      card->vscard_in_pos += size;
> --
> 2.20.1
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v2 0/9] ccid-card-passthru: check buffer size parameter, Philippe Mathieu-Daudé, 2019/02/14
- [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Eric Blake, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Wei Yang, 2019/02/15
  - Re: [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Marc-André Lureau <=
    - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Philippe Mathieu-Daudé, 2019/02/18
    - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, P J P, 2019/02/21
    - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Marc-André Lureau, 2019/02/21
- [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression, Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression, Wei Yang, 2019/02/15
  - Re: [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression, Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 4/9] ccid-card-passthru: Let the chardev::read() be more generic, Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 4/9] ccid-card-passthru: Let the chardev::read() be more generic, Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 5/9] ccid-card-passthru: Replace assert() by QEMU_BUILD_BUG_ON(), Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 5/9] ccid-card-passthru: Replace assert() by QEMU_BUILD_BUG_ON(), Marc-André Lureau, 2019/02/15

Prev by Date: Re: [Qemu-devel] [PATCH v3] s390x/cpumodel: Set up CPU model for AQIC interception
Next by Date: [Qemu-devel] [PATCH v4 8/9] hmp: Add hmp_announce_self
Previous by thread: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Next by thread: Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Index(es):
- Date
- Thread