[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block tra
|
From: |
li qiang |
|
Subject: |
Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write |
|
Date: |
Thu, 6 Dec 2018 09:02:50 +0000 |
在 2018/12/6 16:48, P J P 写道:
> From: Prasad J Pandit <address@hidden>
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann <address@hidden>
> Signed-off-by: Prasad J Pandit <address@hidden>
> ---
> hw/i2c/pm_smbus.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
> index 685a2378ed..03062740cc 100644
> --- a/hw/i2c/pm_smbus.c
> +++ b/hw/i2c/pm_smbus.c
> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr,
> uint64_t val,
> uint8_t read = s->smb_addr & 0x01;
>
> s->smb_index++;
> + if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
> + s->smb_index = 0;
> + }
> if (!read && s->smb_index == s->smb_data0) {
> uint8_t prot = (s->smb_ctl >> 2) & 0x07;
> uint8_t cmd = s->smb_cmd;
Oh... Finally another one find this.....
I've already found this. This is very a serious security issue.
I have wrote a full exploit to make a VM escape using this vulnerability.
This guest can read/write a 4G memory of qemu process by default
configuration.
As far as I know, this vulnerability may be the most serious
vulnerability of the qemu history.
Please pay a lot of attention for this issue.
Later I will release the full paper and exploit. It's not harm as this
is introduced in 3.1
and no one use it now.
Thanks,
Li Qiang
- [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, P J P, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write,
li qiang <=
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, li qiang, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, li qiang, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Li Qiang, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Li Qiang, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Igor Mammedov, 2018/12/06