From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 4 Jun 2020 14:38:30 +0530 Subject: [PATCH] ati-vga: check mm_index before recursive call (CVE-2020-13800) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While accessing VGA registers via ati_mm_read/write routines, a guest may set 's->regs.mm_index' such that it leads to infinite recursion. Check mm_index value to avoid such recursion. Log an error message for wrong values. Reported-by: Ren Ding Reported-by: Hanqing Zhao Reported-by: Yi Ren Message-id: 20200604090830.33885-1-ppandit@redhat.com Suggested-by: BALATON Zoltan Suggested-by: Philippe Mathieu-Daudé Signed-off-by: Prasad J Pandit Signed-off-by: Gerd Hoffmann Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a98610c429d52db0937c1e48659428929835c455] CVE: CVE-2020-13800 Signed-off-by: Chee Yang Lee --- hw/display/ati.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hw/display/ati.c b/hw/display/ati.c index 065f197678e..67604e68deb 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: