|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much
On Mon, Nov 19, 2018 at 04:26:58PM +0000, Peter Maydell wrote: > Coverity (CID 796599) points out that xen_pt_setup_vga() trusts > the rom->size field in the BIOS ROM from a PCI passthrough VGA > device, and uses it as an index into the memory which contains > the BIOS image. A corrupt BIOS ROM could therefore cause us to > index off the end of the buffer. > > Check that the size is within bounds before we use it. > > We are also trusting the pcioffset field, and assuming that > the whole rom_header is present; Coverity doesn't notice these, > but check them too. > > Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx> > --- > Disclaimer: compile tested only, as I don't have a Xen setup, > let alone one with pass-through PCI graphics. > > Note that https://xenbits.xen.org/xsa/advisory-124.html > defines that bugs which are only exploitable by a malicious > piece of hardware that is passed through to the guest are > not security vulnerabilities as far as the Xen Project is > concerned, and are treated like normal non-security-related bugs. > So this is just a bugfix, not a security issue. > > Marked "for-3.1" because it would let us squash another Coverity > issue, and it is a bug fix; on the other hand it's an obscure > corner case and has been this way since forever. I haven't tested that patch either, but the changes looks fine, so: Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> Thanks, -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |