From patchwork Mon Jan 14 13:51:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anthony PERARD X-Patchwork-Id: 155510 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp3682967jaa; Mon, 14 Jan 2019 05:55:13 -0800 (PST) X-Google-Smtp-Source: ALg8bN6ap/zqaehGKoTMksSLNdntPGeKI2dhmst3MDr9EFhk8GMddDJ23NZk72JnYnW0og6Be4BP X-Received: by 2002:a25:d345:: with SMTP id e66mr24620061ybf.504.1547474113590; Mon, 14 Jan 2019 05:55:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547474113; cv=none; d=google.com; s=arc-20160816; b=xRvkkznwdrU63RoDfVi26UMsZSRbBvIaffoff4YaSXWvo1aSUlS3A1NHpAsvMBWVh4 /jStHkU1gc6iXtQpofigcUwmvwQjIIkjGzc/x7dwP73h9sSMizf1vMMepAtnW5hYY/nU tsWlLZVKNLzzHxCK/iAt9yy1it5+C0w8QV8neHO3P4gEWTtNDjYQntiYS4GdnygN10Gb zeEqCsPxN1idV8csSi0BcjFhWteXQuM/5tbpdL/h6hDcveWRRyjI645D0lUqaugnDTBM fmb5UC714DEj1C8sRMP55NJOxcFCkVWju76KC6roI57cFIQHvfVQJ/YRSYvkjppoQG8A z4Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from; bh=qUcfaYnyvP2GLsgu7ewkDOgA5/i4QCpeZiokvYt8vs8=; b=yvMkl2bszSEUD3b0Wf0eIu0a3vVMQWTQ9EJcOP8U0hMZxgEPYGUb5vhTv0W/kpKtrD vUiFylFnYpP6Efa9XqjJRFTBHBC9x/5Hf9CozUez/AYtjj0PE370HnaXGhxc7NBgFqz9 3AxLUjLwYPZekrOqMjvPM94Nw5/YGfwBKgA7SGqPgLGATo5g+Ce6ERMjyZls1va98wz5 XVcQMZAVkpNxqzv1+pOb/5SEAT0bYUVDSLXKnaGnxTonWviPG3aJZk/0PypSgK8BkEpI ssSi1ILzljH8jeS5Do7OdkO34xmnLR4o2GKuHf1p85eCZMPANfs3ib07qGNgiE98s2p+ KwFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id o80si288795ybc.1.2019.01.14.05.55.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 Jan 2019 05:55:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1gj2ew-0007N8-SJ; Mon, 14 Jan 2019 13:52:10 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1gj2ev-0007Ml-9T for xen-devel@lists.xenproject.org; Mon, 14 Jan 2019 13:52:09 +0000 X-Inumbo-ID: 955d8e1b-1803-11e9-92db-bc764e045a96 Received: from SMTP03.CITRIX.COM (unknown [162.221.156.55]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 955d8e1b-1803-11e9-92db-bc764e045a96; Mon, 14 Jan 2019 13:52:08 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.56,477,1539648000"; d="scan'208";a="75506436" From: Anthony PERARD To: Date: Mon, 14 Jan 2019 13:51:30 +0000 Message-ID: <20190114135154.16826-2-anthony.perard@citrix.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190114135154.16826-1-anthony.perard@citrix.com> References: <20190114135154.16826-1-anthony.perard@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PULL 01/25] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Anthony PERARD , xen-devel@lists.xenproject.org, Peter Maydell Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" From: Peter Maydell Coverity (CID 796599) points out that xen_pt_setup_vga() trusts the rom->size field in the BIOS ROM from a PCI passthrough VGA device, and uses it as an index into the memory which contains the BIOS image. A corrupt BIOS ROM could therefore cause us to index off the end of the buffer. Check that the size is within bounds before we use it. We are also trusting the pcioffset field, and assuming that the whole rom_header is present; Coverity doesn't notice these, but check them too. Signed-off-by: Peter Maydell Acked-by: Anthony PERARD Signed-off-by: Anthony PERARD --- hw/xen/xen_pt_graphics.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hw/xen/xen_pt_graphics.c b/hw/xen/xen_pt_graphics.c index 135c8df1e7..60d6b4a556 100644 --- a/hw/xen/xen_pt_graphics.c +++ b/hw/xen/xen_pt_graphics.c @@ -185,8 +185,19 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev, return; } + if (bios_size < sizeof(struct rom_header)) { + error_setg(errp, "VGA: VBIOS image corrupt (too small)"); + return; + } + /* Currently we fixed this address as a primary. */ rom = (struct rom_header *)bios; + + if (rom->pcioffset + sizeof(struct pci_data) > bios_size) { + error_setg(errp, "VGA: VBIOS image corrupt (bad pcioffset field)"); + return; + } + pd = (void *)(bios + (unsigned char)rom->pcioffset); /* We may need to fixup Device Identification. */ @@ -194,6 +205,11 @@ void xen_pt_setup_vga(XenPCIPassthroughState *s, XenHostPCIDevice *dev, pd->device = s->real_device.device_id; len = rom->size * 512; + if (len > bios_size) { + error_setg(errp, "VGA: VBIOS image corrupt (bad size field)"); + return; + } + /* Then adjust the bios checksum */ for (c = (char *)bios; c < ((char *)bios + len); c++) { checksum += *c;