[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-xen staging-4.14] ati-vga: check mm_index before recursive call (CVE-2020-13800)

commit 387a3ac89d5cc821c4064295122dc3183b6aca69
Author:     Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx>
AuthorDate: Thu Jun 4 14:38:30 2020 +0530
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Mon Aug 24 19:11:52 2020 -0500

    ati-vga: check mm_index before recursive call (CVE-2020-13800)
    
    While accessing VGA registers via ati_mm_read/write routines,
    a guest may set 's->regs.mm_index' such that it leads to infinite
    recursion. Check mm_index value to avoid such recursion. Log an
    error message for wrong values.
    
    Reported-by: Ren Ding <rding@xxxxxxxxxx>
    Reported-by: Hanqing Zhao <hanqing@xxxxxxxxxx>
    Reported-by: Yi Ren <c4tren@xxxxxxxxx>
    Message-id: 20200604090830.33885-1-ppandit@xxxxxxxxxx
    Suggested-by: BALATON Zoltan <balaton@xxxxxxxxxx>
    Suggested-by: Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>
    Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx>
    Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
    (cherry picked from commit a98610c429d52db0937c1e48659428929835c455)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 hw/display/ati.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 58ec8291d4..9228f1b242 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, 
unsigned int size)
             if (idx <= s->vga.vram_size - size) {
                 val = ldn_le_p(s->vga.vram_ptr + idx, size);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
             if (idx <= s->vga.vram_size - size) {
                 stn_le_p(s->vga.vram_ptr + idx, size, data);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#staging-4.14

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.