blob: 1e8278f7b7eea9c6a979bfe08f66646d71ee6d7e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
Date: Thu, 4 Jun 2020 16:25:24 +0530
From: Prasad J Pandit <pjp@fedoraproject.org>
Subject: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + size' is
within PCI configuration space.
CVE: CVE-2020-13791
Upstream-Status: Submitted
https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00979.html
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
hw/display/ati.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Update v3: avoid modifying 'addr' variable
-> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
diff --git a/hw/display/ati.c b/hw/display/ati.c
index 67604e68de..b4d0fd88b7 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
val = s->regs.crtc_pitch;
break;
case 0xf00 ... 0xfff:
- val = pci_default_read_config(&s->dev, addr - 0xf00, size);
+ if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
+ val = pci_default_read_config(&s->dev, addr - 0xf00, size);
+ }
break;
case CUR_OFFSET:
val = s->regs.cur_offset;
--
2.26.2
|