Re: [PATCH] KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
From: Paolo Bonzini
Date: Fri May 19 2017 - 06:33:27 EST
On 19/05/2017 11:46, Wanpeng Li wrote:
> From: Wanpeng Li <wanpeng.li@xxxxxxxxxxx>
>
> Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation.
>
> - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only,
> a read should be ignored) in guest can get a random number.
> - "rep insb" instruction to access PIT register port 0x43 can control memcpy()
> in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes,
> which will disclose the unimportant kernel memory in host but no crash.
The data comes simply from the last PIO read, right? The vcpu struct is
zero-initialized, so there is no kernel memory leak---the byte was
already previously known to the guest.
Good catch though, and the patch looks good.
Thanks,
Paolo
> The similar test program below can reproduce the read out-of-bounds vulnerability: