[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the
Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much
Fri, 14 Dec 2018 09:16:06 -0800 (PST)
Alpine 2.10 (DEB 1266 2009-07-14)
On Fri, 14 Dec 2018, Peter Maydell wrote:
> On Mon, 26 Nov 2018 at 15:03, Anthony PERARD <address@hidden> wrote:
> > On Mon, Nov 19, 2018 at 04:26:58PM +0000, Peter Maydell wrote:
> > > Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
> > > the rom->size field in the BIOS ROM from a PCI passthrough VGA
> > > device, and uses it as an index into the memory which contains
> > > the BIOS image. A corrupt BIOS ROM could therefore cause us to
> > > index off the end of the buffer.
> > >
> > > Check that the size is within bounds before we use it.
> > >
> > > We are also trusting the pcioffset field, and assuming that
> > > the whole rom_header is present; Coverity doesn't notice these,
> > > but check them too.
> > >
> > > Signed-off-by: Peter Maydell <address@hidden>
> > > ---
> > > Disclaimer: compile tested only, as I don't have a Xen setup,
> > > let alone one with pass-through PCI graphics.
> > >
> > > Note that https://xenbits.xen.org/xsa/advisory-124.html
> > > defines that bugs which are only exploitable by a malicious
> > > piece of hardware that is passed through to the guest are
> > > not security vulnerabilities as far as the Xen Project is
> > > concerned, and are treated like normal non-security-related bugs.
> > > So this is just a bugfix, not a security issue.
> > >
> > > Marked "for-3.1" because it would let us squash another Coverity
> > > issue, and it is a bug fix; on the other hand it's an obscure
> > > corner case and has been this way since forever.
> > I haven't tested that patch either, but the changes looks fine, so:
> > Acked-by: Anthony PERARD <address@hidden>
> Ping! Would the Xen folks like to test this and/or send it in
> via a xen pullreq now that 4.0 has reopened for development?
> Alternatively I can put it in via a pullreq I'm currently
> doing in its current "not tested but looks fine" state :-)
I know that Anthony is preparing a pretty large pull request for you.
You should see something coming your way soon.