| Andrew Geissler | b7d2861 | 2020-07-24 16:15:54 -0500 | [diff] [blame^] | 1 | From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 |
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> |
| 3 | Date: Thu, 4 Jun 2020 14:38:30 +0530 |
| 4 | Subject: [PATCH] ati-vga: check mm_index before recursive call |
| 5 | (CVE-2020-13800) |
| 6 | MIME-Version: 1.0 |
| 7 | Content-Type: text/plain; charset=UTF-8 |
| 8 | Content-Transfer-Encoding: 8bit |
| 9 | |
| 10 | While accessing VGA registers via ati_mm_read/write routines, |
| 11 | a guest may set 's->regs.mm_index' such that it leads to infinite |
| 12 | recursion. Check mm_index value to avoid such recursion. Log an |
| 13 | error message for wrong values. |
| 14 | |
| 15 | Reported-by: Ren Ding <rding@gatech.edu> |
| 16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> |
| 17 | Reported-by: Yi Ren <c4tren@gmail.com> |
| 18 | Message-id: 20200604090830.33885-1-ppandit@redhat.com |
| 19 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> |
| 20 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> |
| 21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| 22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| 23 | |
| 24 | Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] |
| 25 | CVE: CVE-2020-13800 |
| 26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| 27 | --- |
| 28 | hw/display/ati.c | 10 ++++++++-- |
| 29 | 1 file changed, 8 insertions(+), 2 deletions(-) |
| 30 | |
| 31 | diff --git a/hw/display/ati.c b/hw/display/ati.c |
| 32 | index 065f197678..67604e68de 100644 |
| 33 | --- a/hw/display/ati.c |
| 34 | +++ b/hw/display/ati.c |
| 35 | @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) |
| 36 | if (idx <= s->vga.vram_size - size) { |
| 37 | val = ldn_le_p(s->vga.vram_ptr + idx, size); |
| 38 | } |
| 39 | - } else { |
| 40 | + } else if (s->regs.mm_index > MM_DATA + 3) { |
| 41 | val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); |
| 42 | + } else { |
| 43 | + qemu_log_mask(LOG_GUEST_ERROR, |
| 44 | + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); |
| 45 | } |
| 46 | break; |
| 47 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: |
| 48 | @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, |
| 49 | if (idx <= s->vga.vram_size - size) { |
| 50 | stn_le_p(s->vga.vram_ptr + idx, size, data); |
| 51 | } |
| 52 | - } else { |
| 53 | + } else if (s->regs.mm_index > MM_DATA + 3) { |
| 54 | ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); |
| 55 | + } else { |
| 56 | + qemu_log_mask(LOG_GUEST_ERROR, |
| 57 | + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); |
| 58 | } |
| 59 | break; |
| 60 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: |
| 61 | -- |
| 62 | 2.20.1 |
| 63 | |