[PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800

From:	P J P
Subject:	[PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Date:	Thu, 4 Jun 2020 14:38:30 +0530

From: Prasad J Pandit <pjp@fedoraproject.org>

While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/display/ati.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Update v3: log error message
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00827.html

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 60c5f246fd..98c21e7bd5 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, 
unsigned int size)
             if (idx <= s->vga.vram_size - size) {
                 val = ldn_le_p(s->vga.vram_ptr + idx, size);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -523,8 +526,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
             if (idx <= s->vga.vram_size - size) {
                 stn_le_p(s->vga.vram_ptr + idx, size, data);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
-- 
2.26.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), P J P <=
- Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), Gerd Hoffmann, 2020/06/04
  - Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), BALATON Zoltan, 2020/06/04
    - Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), Gerd Hoffmann, 2020/06/05

Prev by Date: Re: [PATCH] [PATCH v6] linux-user: syscall: ioctls: support DRM_IOCTL_VERSION
Next by Date: Re: [PATCH RFC v2 1/5] block: add bitmap-populate job
Previous by thread: [PATCH V2 0/2] migration/colo: Optimize COLO framework code
Next by thread: Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Index(es):
- Date
- Thread