Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block tra

From:	li qiang
Subject:	Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
Date:	Thu, 6 Dec 2018 10:14:41 +0000

FYI:

http://terenceli.github.io/%E6%8A%80%E6%9C%AF/2018/12/06/qemu-escape


在 2018/12/6 17:02, li qiang 写道:
> 在 2018/12/6 16:48, P J P 写道:
>> From: Prasad J Pandit <address@hidden>
>>
>> While performing block transfer write in smb_ioport_writeb(),
>> 'smb_index' is incremented and used to index smb_data[] array.
>> Check 'smb_index' value to avoid OOB access.
>>
>> Reported-by: Michael Hanselmann <address@hidden>
>> Signed-off-by: Prasad J Pandit <address@hidden>
>> ---
>>    hw/i2c/pm_smbus.c | 3 +++
>>    1 file changed, 3 insertions(+)
>>
>> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
>> index 685a2378ed..03062740cc 100644
>> --- a/hw/i2c/pm_smbus.c
>> +++ b/hw/i2c/pm_smbus.c
>> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, 
>> uint64_t val,
>>                uint8_t read = s->smb_addr & 0x01;
>>    
>>                s->smb_index++;
>> +            if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
>> +                s->smb_index = 0;
>> +            }
>>                if (!read && s->smb_index == s->smb_data0) {
>>                    uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>>                    uint8_t cmd = s->smb_cmd;
> Oh... Finally another one find this.....
>
> I've already found this. This is very a serious security issue.
>
> I have wrote a full exploit to make a VM escape using this vulnerability.
>
> This guest can read/write a 4G memory of qemu process by default
> configuration.
>
> As far as I know, this vulnerability may be the most serious
> vulnerability of the qemu history.
>
> Please pay a lot of attention for this issue.
>
> Later I will release the full paper and exploit. It's not harm as this
> is introduced in 3.1
>
> and no one use it now.
>
>
> Thanks,
>
> Li Qiang
>
>
>
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, P J P, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, li qiang, 2018/12/06
  - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, li qiang <=
  - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
    - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, li qiang, 2018/12/06
    - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
    - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Li Qiang, 2018/12/06
    - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
    - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Li Qiang, 2018/12/06
    - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Igor Mammedov, 2018/12/06
  - Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Peter Maydell, 2018/12/06
- Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write, Igor Mammedov, 2018/12/06

Prev by Date: Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
Next by Date: Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
Previous by thread: Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
Next by thread: Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
Index(es):
- Date
- Thread