Message ID | 20230914092717.7158-1-abelova@astralinux.ru |
---|---|
State | New |
Headers | show |
Series | hw/qxl: move check of slot_id before accessing guest_slots | expand |
14.09.2023 12:27, Anastasia Belova wrote: > If slot_id >= NUM_MEMSLOTS, buffer overflow is possible. > So the check should be upper than d->guest_slots[slot_id] > where size of d->guest_slots is NUM_MEMSLOTS. > > Fixes: e954ea2873 ("qxl: qxl_add_memslot: remove guest trigerrable panics") > Signed-off-by: Anastasia Belova <abelova@astralinux.ru> Good catch. Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> The change is trivial enough for trivial-patches tree, picked it up if Gerd don't mind. /mjt > hw/display/qxl.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/hw/display/qxl.c b/hw/display/qxl.c > index 7bb00d68f5..dc618727c0 100644 > --- a/hw/display/qxl.c > +++ b/hw/display/qxl.c > @@ -1309,16 +1309,17 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta, > QXLDevMemSlot memslot; > int i; > > - guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); > - guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); > - > - trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); > - > if (slot_id >= NUM_MEMSLOTS) { > qxl_set_guest_bug(d, "%s: slot_id >= NUM_MEMSLOTS %d >= %d", __func__, > slot_id, NUM_MEMSLOTS); > return 1; > } > + > + guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); > + guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); > + > + trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); > + > if (guest_start > guest_end) { > qxl_set_guest_bug(d, "%s: guest_start > guest_end 0x%" PRIx64 > " > 0x%" PRIx64, __func__, guest_start, guest_end);
Hi Anastasia, On 14/9/23 11:27, Anastasia Belova wrote: > If slot_id >= NUM_MEMSLOTS, buffer overflow is possible. overflow: unlikely. Do you mean over-read? Did you found that by code audit? I can't see where this function get slot_id >= NUM_MEMSLOTS. This isn't guest triggerable and seems an API invalid use, so developer error, which we can catch with assertions: -- >8 -- diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 7bb00d68f5..443f034168 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -1309,16 +1309,13 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta, QXLDevMemSlot memslot; int i; + assert(slot_id < NUM_MEMSLOTS); + guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); - if (slot_id >= NUM_MEMSLOTS) { - qxl_set_guest_bug(d, "%s: slot_id >= NUM_MEMSLOTS %d >= %d", __func__, - slot_id, NUM_MEMSLOTS); - return 1; - } if (guest_start > guest_end) { qxl_set_guest_bug(d, "%s: guest_start > guest_end 0x%" PRIx64 " > 0x%" PRIx64, __func__, guest_start, guest_end); --- Note, qxl_add_memslot() return value is ignored... > So the check should be upper than d->guest_slots[slot_id] > where size of d->guest_slots is NUM_MEMSLOTS. > > Fixes: e954ea2873 ("qxl: qxl_add_memslot: remove guest trigerrable panics") > Signed-off-by: Anastasia Belova <abelova@astralinux.ru> > --- > hw/display/qxl.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/hw/display/qxl.c b/hw/display/qxl.c > index 7bb00d68f5..dc618727c0 100644 > --- a/hw/display/qxl.c > +++ b/hw/display/qxl.c > @@ -1309,16 +1309,17 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta, > QXLDevMemSlot memslot; > int i; > > - guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); > - guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); > - > - trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); > - > if (slot_id >= NUM_MEMSLOTS) { > qxl_set_guest_bug(d, "%s: slot_id >= NUM_MEMSLOTS %d >= %d", __func__, > slot_id, NUM_MEMSLOTS); > return 1; > } > + > + guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); > + guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); > + > + trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); > + > if (guest_start > guest_end) { > qxl_set_guest_bug(d, "%s: guest_start > guest_end 0x%" PRIx64 > " > 0x%" PRIx64, __func__, guest_start, guest_end);
diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 7bb00d68f5..dc618727c0 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -1309,16 +1309,17 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta, QXLDevMemSlot memslot; int i; - guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); - guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); - - trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); - if (slot_id >= NUM_MEMSLOTS) { qxl_set_guest_bug(d, "%s: slot_id >= NUM_MEMSLOTS %d >= %d", __func__, slot_id, NUM_MEMSLOTS); return 1; } + + guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start); + guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end); + + trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end); + if (guest_start > guest_end) { qxl_set_guest_bug(d, "%s: guest_start > guest_end 0x%" PRIx64 " > 0x%" PRIx64, __func__, guest_start, guest_end);
If slot_id >= NUM_MEMSLOTS, buffer overflow is possible. So the check should be upper than d->guest_slots[slot_id] where size of d->guest_slots is NUM_MEMSLOTS. Fixes: e954ea2873 ("qxl: qxl_add_memslot: remove guest trigerrable panics") Signed-off-by: Anastasia Belova <abelova@astralinux.ru> --- hw/display/qxl.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)