[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much



On Mon, Nov 19, 2018 at 04:26:58PM +0000, Peter Maydell wrote:
> Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
> the rom->size field in the BIOS ROM from a PCI passthrough VGA
> device, and uses it as an index into the memory which contains
> the BIOS image. A corrupt BIOS ROM could therefore cause us to
> index off the end of the buffer.
> 
> Check that the size is within bounds before we use it.
> 
> We are also trusting the pcioffset field, and assuming that
> the whole rom_header is present; Coverity doesn't notice these,
> but check them too.
> 
> Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
> ---
> Disclaimer: compile tested only, as I don't have a Xen setup,
> let alone one with pass-through PCI graphics.
> 
> Note that https://xenbits.xen.org/xsa/advisory-124.html
> defines that bugs which are only exploitable by a malicious
> piece of hardware that is passed through to the guest are
> not security vulnerabilities as far as the Xen Project is
> concerned, and are treated like normal non-security-related bugs.
> So this is just a bugfix, not a security issue.
> 
> Marked "for-3.1" because it would let us squash another Coverity
> issue, and it is a bug fix; on the other hand it's an obscure
> corner case and has been this way since forever.

I haven't tested that patch either, but the changes looks fine, so:

Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Thanks,

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.