[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much

On Mon, 26 Nov 2018 at 15:03, Anthony PERARD <anthony.perard@xxxxxxxxxx> wrote:
> On Mon, Nov 19, 2018 at 04:26:58PM +0000, Peter Maydell wrote:
> > Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
> > the rom->size field in the BIOS ROM from a PCI passthrough VGA
> > device, and uses it as an index into the memory which contains
> > the BIOS image. A corrupt BIOS ROM could therefore cause us to
> > index off the end of the buffer.
> >
> > Check that the size is within bounds before we use it.
> >
> > We are also trusting the pcioffset field, and assuming that
> > the whole rom_header is present; Coverity doesn't notice these,
> > but check them too.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
> > ---
> > Disclaimer: compile tested only, as I don't have a Xen setup,
> > let alone one with pass-through PCI graphics.
> >
> > Note that https://xenbits.xen.org/xsa/advisory-124.html
> > defines that bugs which are only exploitable by a malicious
> > piece of hardware that is passed through to the guest are
> > not security vulnerabilities as far as the Xen Project is
> > concerned, and are treated like normal non-security-related bugs.
> > So this is just a bugfix, not a security issue.
> >
> > Marked "for-3.1" because it would let us squash another Coverity
> > issue, and it is a bug fix; on the other hand it's an obscure
> > corner case and has been this way since forever.
> I haven't tested that patch either, but the changes looks fine, so:
> Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Ping! Would the Xen folks like to test this and/or send it in
via a xen pullreq now that 4.0 has reopened for development?

Alternatively I can put it in via a pullreq I'm currently
doing in its current "not tested but looks fine" state :-)

-- PMM

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.