Re: [PATCH] KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation

From: Paolo Bonzini
Date: Fri May 19 2017 - 06:33:27 EST

Next message: Heikki Krogerus: "Re: [PATCH] usb: typec: Defer checking of valid power role swap to low level drivers"
Previous message: Heiko Stuebner: "Re: [PATCH v2 2/3] dt-bindings: add bindings for rk3128 clock controller"
In reply to: Wanpeng Li: "[PATCH] KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 19/05/2017 11:46, Wanpeng Li wrote:
> From: Wanpeng Li <wanpeng.li@xxxxxxxxxxx>
>
> Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation.
>
> - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only,
> a read should be ignored) in guest can get a random number.
> - "rep insb" instruction to access PIT register port 0x43 can control memcpy()
> in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes,
> which will disclose the unimportant kernel memory in host but no crash.

The data comes simply from the last PIO read, right? The vcpu struct is
zero-initialized, so there is no kernel memory leak---the byte was
already previously known to the guest.

Good catch though, and the patch looks good.

Thanks,

Paolo

> The similar test program below can reproduce the read out-of-bounds vulnerability:

Next message: Heikki Krogerus: "Re: [PATCH] usb: typec: Defer checking of valid power role swap to low level drivers"
Previous message: Heiko Stuebner: "Re: [PATCH v2 2/3] dt-bindings: add bindings for rk3128 clock controller"
In reply to: Wanpeng Li: "[PATCH] KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]