[Qemu-devel] [PATCH 2/5] pvrdma: add uar_read routine

From: Prasad J Pandit Define skeleton 'uar_read' routine. Avoid NULL dereference. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit --- hw/rdma/vmw/pvrdma_main.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index

[Qemu-devel] [PATCH 0/5] rdma: various issues in rdma/pvrdma backend

From: Prasad J Pandit Hello, Various issues OOB access, null dereference and possible infinite loop were reported in the rdma/pvrdma backends. This patch set attempts to fix these. Thank you. --- Prasad J Pandit (5): rdma: check that num_sge does not exceed MAX_SGE pvrdma: add uar_read

[Qemu-devel] [PATCH v1] i2c: pm_smbus: check smb_index before block transfer write

From: Prasad J Pandit While performing block transfer write in smb_ioport_writeb(), 'smb_index' is incremented and used to index smb_data[] array. Check 'smb_index' value to avoid OOB access. Note that this bug is exploitable by a guest to escape from the virtual machine. However the commit

Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write

+-- On Thu, 6 Dec 2018, P J P wrote --+ | | to clarify that this is a serious bug but also that it's | | not one that will be affecting anybody's production systems. | | Okay, preparing patch v2... Sent revised patch [PATCH v1] i2c: pm_smbus: check smb_index before block transfer write Thank

Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write

+-- On Thu, 6 Dec 2018, Peter Maydell wrote --+ | > > Do we need patch v2, or it can be done while merging it? | > | > I can add in the Fixes line when I apply the patch to master. | | Oh, I think we should also add to the commit message something | along the lines of: | | "Note that this bug is

Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write

+-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+ | > From: Prasad J Pandit | > | > While performing block transfer write in smb_ioport_writeb(), | > 'smb_index' is incremented and used to index smb_data[] array. | > Check 'smb_index' value to avoid OOB access. | > | > Reported-by: Michael

[Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write

From: Prasad J Pandit While performing block transfer write in smb_ioport_writeb(), 'smb_index' is incremented and used to index smb_data[] array. Check 'smb_index' value to avoid OOB access. Reported-by: Michael Hanselmann Signed-off-by: Prasad J Pandit --- hw/i2c/pm_smbus.c | 3 +++ 1 file

Re: [Qemu-devel] [PATCH V2 for 3.1 0/4] Fix possible OOB during queuing packets

+-- On Thu, 29 Nov 2018, Eric Blake wrote --+ | How important is this for 3.1? We've missed -rc3. Is this CVE quality | because of a guest being able to cause mayhem by intentionally getting into | this condition (in which case, we need it, as well as a CVE assigned)? Is it | pre-existing in

Re: [Qemu-devel] [PATCH v2] bt: use size_t type for length parameters instead of int

+-- On Mon, 19 Nov 2018, P J P wrote --+ | From: Prasad J Pandit | | The length parameter values are not negative, thus use an unsigned | type 'size_t' for them. Many routines pass 'len' values to memcpy(3) | calls. If it was negative, it could lead to memory corruption issues. | Add check

Re: [Qemu-devel] [PATCH] 9p: fix QEMU crash when renaming files

e(), | like in v9fs_rename(). | | Impact: DoS triggered by unprivileged guest users. | | Cc: P J P | Reported-by: zhibin hu | Signed-off-by: Greg Kurz | --- | hw/9pfs/9p.c |3 +++ | 1 file changed, 3 insertions(+) | | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | index 267a25533b77..bdf7919ab

Re: [Qemu-devel] [PATCH v1] tpm: check localities index

+-- On Wed, 21 Nov 2018, Stefan Berger wrote --+ | I audited all functions yesterday and my proposed patches are on the mailing | list. The abort related ones seem most critical but they are all passed values | they can handle. I do not think that an out-of-bounds access can occur with | the

Re: [Qemu-devel] [PATCH v1] tpm: check localities index

Hello Stefan, Marc, +-- On Tue, 20 Nov 2018, P J P wrote --+ | | On 11/20/18 2:22 AM, P J P wrote: | | > From: Prasad J Pandit | | > While performing mmio device r/w operations, guest could set 'addr' | | > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5 | | > a

Re: [Qemu-devel] [PATCH] fmops: fix off-by-one in AR_TABLE and DR_TABLE array size

Hello Gerd, +-- On Mon, 12 Nov 2018, Gerd Hoffmann wrote --+ | On Tue, Oct 30, 2018 at 09:23:40AM +0100, Gerd Hoffmann wrote: | > Fixes: CVE-2018-??? | > Cc: P J P | | ping, do we have a cve number meanwhile? No, the off-by-one does not seem to have an adverse effect. One byte past AR

Re: [Qemu-devel] [PATCH] lsi53c895a: check script ram address value

Hello Petr, Paolo, +-- On Tue, 6 Nov 2018, Paolo Bonzini wrote --+ | On 06/11/2018 13:03, Peter Maydell wrote: | > When can this masking have any effect? These functions are | > the read and write ops for lsi_ram_ops, which we register with | > memory_region_init_io(>ram_io, OBJECT(s),

Re: [Qemu-devel] [PATCH v1] tpm: check localities index

Hello Stefan, +-- On Tue, 20 Nov 2018, Stefan Berger wrote --+ | On 11/20/18 2:22 AM, P J P wrote: | > From: Prasad J Pandit | > | > While performing mmio device r/w operations, guest could set 'addr' | > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5 | > af

[Qemu-devel] [PATCH v1] tpm: check localities index

From: Prasad J Pandit While performing mmio device r/w operations, guest could set 'addr' parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5 after setting new 'locty' via 'tpm_tis_new_active_locality'. Add check to avoid OOB access. Reported-by: Cheng Feng Signed-off-by: Prasad

Re: [Qemu-devel] [PATCH] 9p: take write lock on fid path updates

. | | It turns out that the same can happen at several locations where | v9fs_path_copy() is used to set the fid path. The fix is again to | take the write lock. | | Cc: P J P | Reported-by: zhibin hu | Signed-off-by: Greg Kurz | --- | hw/9pfs/9p.c | 15 +++ | 1 file changed, 15

Re: [Qemu-devel] [PATCH v1] bt: use size_t type for length parameters instead of int

+-- On Tue, 6 Nov 2018, Philippe Mathieu-Daudé wrote --+ | > @@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque, | > static uint8_t buf[4096]; | > | > buf[0] = type; | > +assert(len <= sizeof(buf) - 1); | | Why not simply "assert(len < sizeof(buf));"? | > for

[Qemu-devel] [PATCH v2] bt: use size_t type for length parameters instead of int

From: Prasad J Pandit The length parameter values are not negative, thus use an unsigned type 'size_t' for them. Many routines pass 'len' values to memcpy(3) calls. If it was negative, it could lead to memory corruption issues. Add check to avoid it. Reported-by: Arash TC Signed-off-by: Prasad

[Qemu-devel] [PATCH] lsi53c895a: check script ram address value

From: Prasad J Pandit While accessing script ram[2048] via 'lsi_ram_read/write' routines, 'addr' could exceed the ram range. Mask high order bits to avoid OOB access. Reported-by: Mark Kanda Signed-off-by: Prasad J Pandit --- hw/scsi/lsi53c895a.c | 2 ++ 1 file changed, 2 insertions(+) diff

[Qemu-devel] [PATCH 1/2] tpm: check localities index

From: Prasad J Pandit While performing mmio device r/w operations, guest could set 'addr' parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5. Add check to avoid OOB access. Reported-by: Cheng Feng Signed-off-by: Prasad J Pandit --- hw/tpm/tpm_tis.c | 10 -- 1 file

[Qemu-devel] [PATCH 2/2] tpm: use loop iterator to set sts data field

From: Prasad J Pandit When TIS request is done, set 'sts' data field across all localities. Signed-off-by: Prasad J Pandit --- hw/tpm/tpm_tis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c index 20126dd838..58d90645bc 100644 ---

Re: [Qemu-devel] [PATCH v1] bt: use size_t type for length parameters instead of int

+-- On Sat, 27 Oct 2018, P J P wrote --+ |+-- On Sun, 21 Oct 2018, P J P wrote --+ || The length parameter values are not negative, thus use an unsigned || type 'size_t' for them. Many routines pass 'len' values to memcpy(3) || calls. If it was negative, it could lead to memory corruption issues

Re: [Qemu-devel] [PATCH v2] strongarm: mask off high[32:28] bits from dir and state registers

+-- On Mon, 29 Oct 2018, Peter Maydell wrote --+ | > switch (offset) { | > case GPDR:/* GPIO Pin-Direction registers */ | > -s->dir = value; | > +s->dir = value & 0x3f; | | The commit message says it's masking [31:28], but the | code is masking [31:22]. The

[Qemu-devel] [PATCH v3] strongarm: mask off high[31:28] bits from dir and state registers

From: Prasad J Pandit The high[31:28] bits of 'direction' and 'state' registers of SA-1100/SA-1110 device are reserved. Setting them may lead to OOB 's->handler[]' array access issue. Mask off [31:28] bits to avoid it. Reported-by: Moguofang Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATCH v2] lsi53c895a: check message length value is valid

+-- On Tue, 30 Oct 2018, Paolo Bonzini wrote --+ | | Reviewed-by: Paolo Bonzini | | with one change below: | | > +if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { | > +assert(s->msg_len >= 0); | | should be > 0 as well. Sent patch v3. Thank you. -- Prasad J Pandit / Red Hat

[Qemu-devel] [PATCH v3] lsi53c895a: check message length value is valid

From: Prasad J Pandit While writing a message in 'lsi_do_msgin', message length value in 'msg_len' could be invalid. Add check to avoid OOB access issue. Signed-off-by: Prasad J Pandit --- hw/scsi/lsi53c895a.c | 19 +-- 1 file changed, 17 insertions(+), 2 deletions(-) Update

Re: [Qemu-devel] [PATCH v1] lsi53c895a: check message length value is valid

+-- On Mon, 29 Oct 2018, Paolo Bonzini wrote --+ | On 29/10/2018 18:56, Paolo Bonzini wrote: | > On 26/10/2018 22:55, Peter Maydell wrote: | >>> +assert(len <= LSI_MAX_MSGIN_LEN); | >>> pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); | >>> /* Linux drivers rely on the last byte

[Qemu-devel] [PATCH v2] lsi53c895a: check message length value is valid

From: Prasad J Pandit While writing a message in 'lsi_do_msgin', message length value in 'msg_len' could be invalid. Add check to avoid OOB access issue. Signed-off-by: Prasad J Pandit --- hw/scsi/lsi53c895a.c | 19 +-- 1 file changed, 17 insertions(+), 2 deletions(-) Update

Re: [Qemu-devel] [PATCH v1] bt: use size_t type for length parameters instead of int

+-- On Sun, 21 Oct 2018, P J P wrote --+ | The length parameter values are not negative, thus use an unsigned | type 'size_t' for them. Many routines pass 'len' values to memcpy(3) | calls. If it was negative, it could lead to memory corruption issues. | Add check to avoid it. | | Reported

[Qemu-devel] [PATCH v1] lsi53c895a: check message length value is valid

From: Prasad J Pandit While writing a message in 'lsi_do_msgin', message length value in 'msg_len' could be invalid. Add check to avoid OOB access issue. Signed-off-by: Prasad J Pandit --- hw/scsi/lsi53c895a.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) Update v1:

Re: [Qemu-devel] [PATCH] lsi53c895a: check message length value

+-- On Fri, 26 Oct 2018, Mark Kanda wrote --+ | Yes, please use that acknowledgement text in lieu of a 'Reported-by' line. Okay, thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+ | ... | One thing we should do, however, is to make it clear which of the | device models we consider secure, and which we consider only usable | in a friendly guest environment, as we have very different code | maintainership & quality

Re: [Qemu-devel] [PATCH] lsi53c895a: check message length value

+-- On Fri, 26 Oct 2018, Mark Kanda wrote --+ | Deja vu requested that we include the following text in the commit message: | | Discovered by Deja vu Security. Reported by Oracle. | | Would that be acceptable? Generally an email-id is used/preferred in the commit log message. We could

[Qemu-devel] [PATCH v2] ppc/pnv: check size before data buffer access

From: Prasad J Pandit While performing PowerNV memory r/w operations, the access length 'sz' could exceed the data[4] buffer size. Add check to avoid OOB access. Reported-by: Moguofang Signed-off-by: Prasad J Pandit --- hw/ppc/pnv_lpc.c | 8 +++- 1 file changed, 7 insertions(+), 1

Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+ | > No, since the adlib device is not used as much and is being deprecated, I'm | > not inclined to get one. | | Any security issue that affects code in QEMU that is currently being | shipped by distros should have a CVE. | | Whether we

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ | Oh, thanks! I said I was dumb. :) So the fix is just this: | | diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h | index e7e578a48e..7199afaa3c 100644 | --- a/hw/audio/fmopl.h | +++ b/hw/audio/fmopl.h | @@ -72,8 +72,8 @@ typedef struct fm_opl_f

Re: [Qemu-devel] [PATCH 3/3] ppc/pnv: check size before data buffer access

+-- On Fri, 26 Oct 2018, Cédric Le Goater wrote --+ | On 10/25/18 8:45 AM, P J P wrote: | > - While we refactor the routine for better, a patch below seem okay to fix | >the OOB access issue? | | I think it is fine. Please add something like : | | qemu_log_mask(LOG_GUEST

Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage

+-- On Fri, 26 Oct 2018, Peter Maydell wrote --+ | > === | > diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c | > index ec2627374d..dd8c4b1f2e 100644 | > --- a/hw/arm/strongarm.c | > +++ b/hw/arm/strongarm.c | > @@ -587,12 +587,12 @@ static void strongarm_gpio_write(void *opaque, hwaddr | >

Re: [Qemu-devel] [PATCH] lsi53c895a: check message length value

+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ | > -int msg_len; | > +uint8_t msg_len; | | Not wrong per se, but it's also not clear why it's needed. I understand | that you want to switch from signed to unsigned, but it is not mentioned | in the commit message. Changed to uint8_t

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ | I am dumb and I don't understand. In set_ar_dr you get | | v = 0xff | ar = 15 | dr = 15 | | and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which | seems to be actually 14 more than required. Likewise

Re: [Qemu-devel] [PATCH] lsi53c895a: check message length value

+-- On Thu, 25 Oct 2018, Ameya More wrote --+ | While Mark and I reported this issue to you, it was actually discovered by | Dejvau Security and they should receive credit for reporting this issue. | http://www.dejavusecurity.com I see; Would it be possible to share email-id of the original

[Qemu-devel] [PATCH v2] strongarm: mask off high[32:28] bits from dir and state registers

From: Prasad J Pandit The high[32:28] bits of 'direction' and 'state' registers of SA-1100/SA-1110 device are reserved. Setting them may lead to OOB 's->handler[]' array access issue. Mask off [32:28] bits to avoid it. Reported-by: Moguofang Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

+-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ | On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote: | > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. | > | | > | Reproducer: | > | out

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

Hello Dan, all +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: | > While being at it deprecate cirrus too. | > | > Reason (short version): use stdvga instead. | > Verbose version: | >

Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage

+-- On Thu, 25 Oct 2018, Peter Maydell wrote --+ | Hi; thanks for this patch. Looking at the SA1110 manual, | it says that writes to the reserved bits [31:28] are | ignored. So I think that rather than doing this check | here, we should do what the strongarm_ppc_* code in the | same file does --

[Qemu-devel] [PATCH] lsi53c895a: check message length value

From: Prasad J Pandit While writing a message in 'lsi_do_msgin', message length value in msg_len could be invalid, add check to avoid OOB access issue. Reported-by: Ameya More Signed-off-by: Prasad J Pandit --- hw/scsi/lsi53c895a.c | 9 ++--- 1 file changed, 6 insertions(+), 3

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | While being at it deprecate cirrus too. | | Reason (short version): use stdvga instead. | Verbose version: | https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful | | Signed-off-by: Gerd Hoffmann | --- |

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. | | Reproducer: | outw(0xff60, 0x220); | outw(0x1020, 0x220); | outw(0xffb0, 0x220); | Result: | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) +

Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | Simliar to deprecated machine types. | Print a warning when creating a deprecated device. | Add deprecation notice to -device help. | | TODO: add to intospection. s/intospection/introspection ..? | diff --git a/hw/core/qdev.c b/hw/core/qdev.c

Re: [Qemu-devel] [PATCH 3/3] ppc/pnv: check size before data buffer access

Hello Cedric, +-- On Wed, 24 Oct 2018, Cédric Le Goater wrote --+ | I think using a data[8] would be more appropriate. It would make the | pnv_lpc_do_eccb() routine a little more complex. I tried to rewrite it to | have a common one with the P9 LPC model but could not find a common pattern.

Re: [Qemu-devel] [PATCH v1] arm: check bit index before usage

+-- On Tue, 23 Oct 2018, Philippe Mathieu-Daudé wrote --+ | > From: Prasad J Pandit | > | > Update v1: use ARRAY_SIZE macro | >-> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html | > | > -qemu_set_irq(s->handler[bit], (level >> bit) & 1); | > +if (bit <

Re: [Qemu-devel] [PATCH 1/3] arm: check bit index before use

+-- On Mon, 22 Oct 2018, liqsub1 wrote --+ | +if (bit < sizeof(s->handler) / sizeof(s->handler[0])) { | | Maybe you can use ARRAY_SIZE here. Yes, sent patch v1. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Qemu-devel] [PATCH v1] arm: check bit index before usage

From: Prasad J Pandit While performing gpio write via strongarm_gpio_handler_update routine, the 'bit' index could access beyond s->handler[28] array. Add check to avoid OOB access. Reported-by: Moguofang Signed-off-by: Prasad J Pandit --- hw/arm/strongarm.c | 4 +++- 1 file changed, 3

[Qemu-devel] [PATCH 3/3] ppc/pnv: check size before data buffer access

From: Prasad J Pandit While performing PowerNV memory r/w operations, the access length 'sz' could exceed the data[4] buffer size. Add check to avoid OOB access. Reported-by: Moguofang Signed-off-by: Prasad J Pandit --- hw/ppc/pnv_lpc.c | 4 1 file changed, 4 insertions(+) diff --git

[Qemu-devel] [PATCH 2/3] nvme: check size before memcpy

From: Prasad J Pandit While in nvme_mmio_read, memcpy could read past the 'n->bar' buffer, if addr offset was pointing towards its tail end. Add check to avoid OOB access. Reported-by: Caihongzhu Signed-off-by: Prasad J Pandit --- hw/block/nvme.c | 2 +- 1 file changed, 1 insertion(+), 1

[Qemu-devel] [PATCH 1/3] arm: check bit index before use

From: Prasad J Pandit While performing gpio write via strongarm_gpio_handler_update routine, the 'bit' index could access beyond s->handler[28] array. Add check to avoid OOB access. Reported-by: Moguofang Signed-off-by: Prasad J Pandit --- hw/arm/strongarm.c | 4 +++- 1 file changed, 3

[Qemu-devel] [PATCH v1] bt: use size_t type for length parameters instead of int

From: Prasad J Pandit The length parameter values are not negative, thus use an unsigned type 'size_t' for them. Many routines pass 'len' values to memcpy(3) calls. If it was negative, it could lead to memory corruption issues. Add check to avoid it. Reported-by: Arash TC Signed-off-by: Prasad

Re: [Qemu-devel] [PATCH] bt: use size_t type for length parameters instead of signed int

+-- On Thu, 18 Oct 2018, Paolo Bonzini wrote --+ | So you have to first find out all places where something is subtracted | from the length, and ensure it's okay or add assertions. | | Then you have to check a much more important issue: places that use a | fixed-size buffer such as

[Qemu-devel] [PATCH] bt: use size_t type for length parameters instead of signed int

From: Prasad J Pandit The length parameter values are not negative, thus use an unsigned type 'size_t' for them. Many routines pass 'len' values to memcpy(3) calls. If it was negative, it could lead to memory corruption issues. Reported-by: Arash TC Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter

+-- On Thu, 11 Oct 2018, Philippe Mathieu-Daudé wrote --+ | I started this change and already converted 40 files. Wow, that's super swift! :) Will wait for the patch V2 from you then. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter

+-- On Thu, 11 Oct 2018, Philippe Mathieu-Daudé wrote --+ | The IOReadHandler does not have documentation. | | typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size); | | Why is the 'size' argument signed? Does it makes sens to call it with a | negative value? No, it doesn't

[Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter

From: Prasad J Pandit While reading virtual smart card data, if buffer 'size' is negative it would lead to memory corruption errors. Add check to avoid it. Reported-by: Arash TC Signed-off-by: Prasad J Pandit --- hw/usb/ccid-card-passthru.c | 1 + 1 file changed, 1 insertion(+) diff --git

[Qemu-devel] [PATCH] qga: check bytes count read by guest-file-read

From: Prasad J Pandit While reading file content via 'guest-file-read' command, 'qmp_guest_file_read' routine allocates buffer of count+1 bytes. It could overflow for large values of 'count'. Add check to avoid it. Reported-by: Fakhri Zulkifli Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf

mu-devel/2018-06/msg01144.html This is patch v1 with indentation fix flagged by checkpatch.pl. In case you prefer this one. Thank you. -- - P J P 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Qemu-devel] [PATCH v1 2/2] slirp: reformat m_cat routine

From: Prasad J Pandit Coding style changes to the m_cat routine and minor refactoring. Signed-off-by: Prasad J Pandit --- slirp/mbuf.c | 36 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/slirp/mbuf.c b/slirp/mbuf.c index

[Qemu-devel] [PATCH v1 0/2] correct size computation in m_cat

From: Prasad J Pandit Hello, While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. This patch set fixes this issue and formats m_cat()

[Qemu-devel] [PATCH v1 1/2] slirp: correct size computation while concatenating mbuf

From: Prasad J Pandit While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer, if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. Correct this size computation in m_cat. Reported-by: ZDI

[Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf

From: Prasad J Pandit While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer, if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. Correct this size computation in m_cat. Reported-by: ZDI

[Qemu-devel] [PATCH 0/2] correct size computation in m_cat

From: Prasad J Pandit Hello, While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. This patch set fixes this issue and formats m_cat()

[Qemu-devel] [PATCH 2/2] slirp: reformat m_cat routine

From: Prasad J Pandit Coding style changes to the m_cat routine and minor refactoring. Signed-off-by: Prasad J Pandit --- slirp/mbuf.c | 36 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/slirp/mbuf.c b/slirp/mbuf.c index

Re: [Qemu-devel] CVE-2018-7550 (was: multiboot: bss_end_addr can be zero / cleanup)

+-- On Wed, 14 Mar 2018, Kevin Wolf wrote --+ | Well, it seems to me that this patch was created for a different | purpose, but it happens to fix the bug for which this CVE was assigned | now. Right. I had sent another patch to fix it, there Jack mentioned about his series from before. | I

Re: [Qemu-devel] [PATCH] vga: fix region calculation

+-- On Thu, 8 Mar 2018, Gerd Hoffmann wrote --+ | Typically the scanline length and the line offset are identical. | But case But in case ... | Cc: Ross Lagerwall s/Cc:/Reported-by: Ross Lagerwall ... | Signed-off-by: Gerd Hoffmann | --- |

Re: [Qemu-devel] [PATCH QEMU v1 4/4] multiboot: fprintf(stderr...) -> error_report()

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+ | Change all fprintf(stderr...) calls in hw/i386/multiboot.c to call | error_report() instead, including the mb_debug macro. Remove the "\n" | from strings passed to all modified calls, since error_report() appends | one. | | Signed-off-by: Jack

Re: [Qemu-devel] [PATCH QEMU v1 3/4] multiboot: Use header names when displaying fields

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+ | Refer to field names when displaying fields in printf and debug statements. I wonder if it's required; Having variable names is helpful while going through code. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA

Re: [Qemu-devel] [PATCH QEMU v1 2/4] multiboot: Remove unused variables from multiboot.c

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+ | Remove unused variables: mh_mode_type, mh_width, mh_height, mh_depth | | Signed-off-by: Jack Schwartz | Reviewed-by: Daniel Kiper | --- | hw/i386/multiboot.c | 6 -- | 1 file changed, 6

Re: [Qemu-devel] [PATCH QEMU v1 1/4] multiboot: bss_end_addr can be zero

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+ | The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), | section 3.1.3, allows for bss_end_addr to be zero. | | A zero bss_end_addr signifies there is no .bss section. | | Suggested-by: Daniel Kiper |

Re: [Qemu-devel] [PATCH] multiboot: check mh_load_end_addr address field

+-- On Wed, 28 Feb 2018, P J P wrote --+ | While loading kernel via multiboot-v1 image, (flags & 0x0001) | indicates that multiboot header contains valid addresses to load | the kernel image. In that, end of the data segment address | 'mh_load_end_addr' should be less than the bss seg

[Qemu-devel] [PATCH] multiboot: check mh_load_end_addr address field

From: Prasad J Pandit While loading kernel via multiboot-v1 image, (flags & 0x0001) indicates that multiboot header contains valid addresses to load the kernel image. In that, end of the data segment address 'mh_load_end_addr' should be less than the bss segment

[Qemu-devel] [PATCH] kvm: check dev parameter when updating msi route

From: Prasad J Pandit When updating message signalled interrupt(MSI) route in routine kvm_irqchip_update_msi_route, device parameter could be null. Add check to avoid null dereference. Reported-by: Guoxiang Niu Signed-off-by: Prasad J Pandit

Re: [Qemu-devel] [PATCH] kvm: check dev parameter when updating msi route

Hello Radim, +-- On Fri, 2 Feb 2018, Radim Krčmář wrote --+ | This should primarily go to the qemu devel list. I've Cc'd it, but | reposting would be safer, thanks. Ah, Okay. I did think qemu-devel would be better, but MAINTAINERS file lists k...@vger.kernel.org address for accel/kvm/.

Re: [Qemu-devel] [PATCH v1] ps2: check PS2Queue pointers in post_load routine

+-- On Thu, 25 Jan 2018, Gerd Hoffmann wrote --+ | Ok, finally queueed up v1 for merge. Okay, cool. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] vga: check the validation of memory addr when draw text

+-- On Mon, 25 Dec 2017, linzhecheng wrote --+ | --- a/hw/display/vga.c | +++ b/hw/display/vga.c | @@ -1279,6 +1279,10 @@ static void vga_draw_text(VGACommonState *s, int full_update) | cx_min = width; | cx_max = -1; | for(cx = 0; cx < width; cx++) { | +if

Re: [Qemu-devel] [PATCH] display: check irq handler index before access

+-- On Mon, 11 Dec 2017, Peter Maydell wrote --+ | It would be more sensible to just mask off the top bits of | 'level' before starting the loop, rather than checking every | time around the loop: |level &= MAKE_64BIT_MASK(0, TC6493XB_GPIOS); Sent a revised patch v1. Thank you. -- Prasad J

[Qemu-devel] [PATCH v1] display: limit irq handler index to TC6393XB_GPIOS

From: Prasad J Pandit The ctz32() routine could return value greater than TC6393XB_GPIOS=16. This could lead to an OOB array access. Mask 'level' to avoid it. Reported-by: Moguofang Signed-off-by: Prasad J Pandit ---

[Qemu-devel] [PATCH] display: check irq handler index before access

From: Prasad J Pandit The ctz32() routine could return value greater than TC6393XB_GPIOS=16. This could lead to an OOB array access. Add check to avoid it. Reported-by: Moguofang Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATCH v4 0/2] check VirtiQueue Vring objects

+-- On Thu, 30 Nov 2017, P J P wrote --+ | +-- On Thu, 30 Nov 2017, Stefan Hajnoczi wrote --+ | | Michael is the virtio maintainer. I have added him to this email | | thread so the patch series can be merged. -> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05473.html @

[Qemu-devel] [PATCH] scsi: check current request object before use

From: Prasad J Pandit During a dma access, SCSIRequest object 'current_req' could be null, leading to a null pointer dereference. Add check to avoid it. Reported-by: Zhangboxian Signed-off-by: Prasad J Pandit ---

Re: [Qemu-devel] [PATCH v4 0/2] check VirtiQueue Vring objects

+-- On Thu, 30 Nov 2017, Stefan Hajnoczi wrote --+ | Michael is the virtio maintainer. I have added him to this email | thread so the patch series can be merged. Thanks so much! -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH v3 1/2] virtio: check VirtQueue Vring object is set

+-- On Wed, 29 Nov 2017, Cornelia Huck wrote --+ | I think the basic problem is still that you conflate two things: | - vring.num, which cannot be flipped between 0 and !0 by the guest | - vring.{desc,avail,used}, which can | | IOW, if vring.num == 0, the guest cannot manipulate the queue; if |

[Qemu-devel] [PATCH v4 0/2] check VirtiQueue Vring objects

From: Prasad J Pandit Hello, A guest could attempt to use an uninitialised VirtQueue object or set Vring object with undue values, raising an unexpected exception in Qemu. This patch set fixes this issue and also adds a unit test to the suite. Thank you. -- Prasad J

[Qemu-devel] [PATCH v4 1/2] virtio: check VirtQueue Vring object is set

From: Prasad J Pandit A guest could attempt to use an uninitialised VirtQueue object or unset Vring.align leading to a arithmetic exception. Add check to avoid it. Reported-by: Zhangboxian Signed-off-by: Prasad J Pandit

[Qemu-devel] [PATCH v4 2/2] tests: add test to check VirtQueue object

From: Prasad J Pandit An uninitialised VirtQueue object or one with Vring.align field set to zero(0) could lead to arithmetic exceptions. Add a unit test to validate it. Signed-off-by: Prasad J Pandit --- tests/virtio-blk-test.c | 25

Re: [Qemu-devel] [PATCH v3 1/2] virtio: check VirtQueue Vring object is set

Hello Cornelia, +-- On Tue, 28 Nov 2017, Cornelia Huck wrote --+ | What is "unfit for use"? Unfit for use because we see checks like if (!virtio_queue_get_num(vdev, n)) { continue; ... if (!vdev->vq[n].vring.num) { return; 'virtio_queue_set_rings' sets 'vring.desc' as

Re: [Qemu-devel] [PATCH v3 1/2] virtio: check VirtQueue Vring object is set

+-- On Tue, 28 Nov 2017, Stefan Hajnoczi wrote --+ | > This is conflating different things: | > - vq does not exist (num == 0) | > - vq is not setup by the guest (desc == 0) | > - vq has no valid alignment (which is only relevant for legacy) | | I agree. Either case, vq would be unfit for use,

Re: [Qemu-devel] [PATCH v3 1/2] virtio: check VirtQueue Vring object is set

+-- On Mon, 27 Nov 2017, Cornelia Huck wrote --+ |The check for align is not really needed, as virtio-1 disallows setting align |anyway. disallows...? | Checking for !desc is wrong (why shouldn't a driver be able to unset a | descriptor table?) +-- On Mon, 27 Nov 2017, Stefan Hajnoczi wrote

[Qemu-devel] [PATCH v3 0/2] check VirtiQueue Vring objects

From: Prasad J Pandit Hello, An user could attempt to use an uninitialised VirtQueue object or set Vring object with undue values, raising an unexpected exception in Qemu. This patch set fixes this issue and also adds a unit test to the suite. Thank you. -- Prasad J

[Qemu-devel] [PATCH v3 1/2] virtio: check VirtQueue Vring object is set

From: Prasad J Pandit An user could attempt to use an uninitialised VirtQueue object or unset Vring.align leading to a arithmetic exception. Add check to avoid it. Reported-by: Zhangboxian Signed-off-by: Prasad J Pandit

[Qemu-devel] [PATCH v3 2/2] tests: add test to check VirtQueue object

From: Prasad J Pandit An uninitialised VirtQueue object or one with Vring.align field set to zero(0) could lead to arithmetic exceptions. Add a unit test to validate it. Signed-off-by: Prasad J Pandit --- tests/virtio-blk-test.c | 25

[Qemu-devel] [PATCH v2 2/2] tests: add test to check VirtQueue object

From: Prasad J Pandit An uninitialised VirtQueue object or one with Vring.align field set to zero(0) could lead to arithmetic exceptions. Add a unit test to validate it. Signed-off-by: Prasad J Pandit --- tests/virtio-blk-test.c | 25

<    1   2   3   4   5   6   7   8   9   10   >