From patchwork Thu Jan 10 13:48:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anthony PERARD X-Patchwork-Id: 155167 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp1916827jaa; Thu, 10 Jan 2019 05:50:38 -0800 (PST) X-Google-Smtp-Source: ALg8bN45MFVZPdlXRCP6XVfJ55BovHc0b1Tuled0DF0hCTF/YUJ6WXdbDgVECwN0nn0cS8cgEfGt X-Received: by 2002:adf:8001:: with SMTP id 1mr8935494wrk.23.1547128237951; Thu, 10 Jan 2019 05:50:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547128237; cv=none; d=google.com; s=arc-20160816; b=Vq2CzsZq/am7a98RjKR22Rq6QirqMpKTA3p+5aBuQfGfLnjeTNu1k/glgeQnMH2DeI sWioqaj/uqgvCwhnDL/KddJUKt0y/5FI4ia7x83R94pPJGYhwG/tlUEJhRmls0muphgk AkmuPGB2gosjxWd9BKcWTQdYqdaOeE1c/KPB3uZV7c+dmga77pwP9HTESDtTJM7T0ib/ 6cWxbdg9MxQW9yrJggjrw8lQR4YI8dlKmeFnqcVYASi8D4B4pykMDukV19TioK5EbxAA zWW92sRBTXNVIVVx3wilnL8+Dz1ps40dR9V+LflxapP/CgbV758ZBKfvasvqdwo735cT BE7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject :content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:to:from; bh=quU1WsW+VlPRPvn9vNiSEQydQBDszsohoPBRHurQywM=; b=uc+DCeoiBL9cxsWfcW2quJ1ZSmDG1dlBVF5fOuY+X0dHD9GgbhPPV0DLJRcQAAkLb1 FuJuhH0mGICbQ6TZ30lG5UdQZINJ8f5mJ2/4iVhv7mHj9vib7ptlItXoJPiJbKEw/LDL 61w6y9LYBs7sMdKR635Qw12ZszQ4wB4k5RrqIROD6JbwAMxvrL1l2mJLdy4gurN8PwUv srw/DpwzXz6JUkXFSi+Bhdclt7bqfpXF4QDxY7hI83nfsbySjXmQ5GrEcUK+kQOLrTXh LQig0kqmp7HfHRQjv7bG/rYk8C6uh8gSVk9khwSWZ98Zub9OsjLgSwoy5l7lbNKG4JFR SAkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id n1si44460921wre.10.2019.01.10.05.50.37 for (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 10 Jan 2019 05:50:37 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([127.0.0.1]:53155 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ghajE-00054d-Tc for patch@linaro.org; Thu, 10 Jan 2019 08:50:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53179) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ghaik-00053e-OJ for qemu-devel@nongnu.org; Thu, 10 Jan 2019 08:50:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ghaij-0001gM-NK for qemu-devel@nongnu.org; Thu, 10 Jan 2019 08:50:06 -0500 Received: from smtp03.citrix.com ([162.221.156.55]:11318) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ghaij-0001ep-Dx for qemu-devel@nongnu.org; Thu, 10 Jan 2019 08:50:05 -0500 X-IronPort-AV: E=Sophos;i="5.56,461,1539648000"; d="scan'208";a="75262369" From: Anthony PERARD To: Date: Thu, 10 Jan 2019 13:48:53 +0000 Message-ID: <20190110134917.16425-2-anthony.perard@citrix.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190110134917.16425-1-anthony.perard@citrix.com> References: <20190110134917.16425-1-anthony.perard@citrix.com> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 162.221.156.55 Subject: [Qemu-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Anthony PERARD , xen-devel@lists.xenproject.org, Peter Maydell Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell Coverity (CID 796599) points out that xen_pt_setup_vga() trusts the rom->size field in the BIOS ROM from a PCI passthrough VGA device, and uses it as an index into the memory which contains the BIOS image. A corrupt BIOS ROM could therefore cause us to index off the end of the buffer. Check that the size is within bounds before we use it. We are also trusting the pcioffset field, and assuming that the whole rom_header is present; Coverity doesn't notice these, but check them too. Signed-off-by: Peter Maydell Acked-by: Anthony PERARD Signed-off-by: Anthony PERARD --- hw/xen/xen_pt_graphics.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) -- Anthony PERARD diff --git a/hw/xen/xen_pt_graphics.c b/hw/xen/xen_pt_graphics.c index 135c8df1e7..60d6b4a556 100644 --- a/hw/xen/xen_pt_graphics.c +++ b/hw/xen/xen_pt_graphics.c @@ -185,8 +185,19 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev, return; } + if (bios_size < sizeof(struct rom_header)) { + error_setg(errp, "VGA: VBIOS image corrupt (too small)"); + return; + } + /* Currently we fixed this address as a primary. */ rom = (struct rom_header *)bios; + + if (rom->pcioffset + sizeof(struct pci_data) > bios_size) { + error_setg(errp, "VGA: VBIOS image corrupt (bad pcioffset field)"); + return; + } + pd = (void *)(bios + (unsigned char)rom->pcioffset); /* We may need to fixup Device Identification. */ @@ -194,6 +205,11 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev, pd->device = s->real_device.device_id; len = rom->size * 512; + if (len > bios_size) { + error_setg(errp, "VGA: VBIOS image corrupt (bad size field)"); + return; + } + /* Then adjust the bios checksum */ for (c = (char *)bios; c < ((char *)bios + len); c++) { checksum += *c;