[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the
From: |
Anthony PERARD |
Subject: |
Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much |
Date: |
Mon, 26 Nov 2018 15:03:07 +0000 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Mon, Nov 19, 2018 at 04:26:58PM +0000, Peter Maydell wrote:
> Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
> the rom->size field in the BIOS ROM from a PCI passthrough VGA
> device, and uses it as an index into the memory which contains
> the BIOS image. A corrupt BIOS ROM could therefore cause us to
> index off the end of the buffer.
>
> Check that the size is within bounds before we use it.
>
> We are also trusting the pcioffset field, and assuming that
> the whole rom_header is present; Coverity doesn't notice these,
> but check them too.
>
> Signed-off-by: Peter Maydell <address@hidden>
> ---
> Disclaimer: compile tested only, as I don't have a Xen setup,
> let alone one with pass-through PCI graphics.
>
> Note that https://xenbits.xen.org/xsa/advisory-124.html
> defines that bugs which are only exploitable by a malicious
> piece of hardware that is passed through to the guest are
> not security vulnerabilities as far as the Xen Project is
> concerned, and are treated like normal non-security-related bugs.
> So this is just a bugfix, not a security issue.
>
> Marked "for-3.1" because it would let us squash another Coverity
> issue, and it is a bug fix; on the other hand it's an obscure
> corner case and has been this way since forever.
I haven't tested that patch either, but the changes looks fine, so:
Acked-by: Anthony PERARD <address@hidden>
Thanks,
--
Anthony PERARD