Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigge

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigge

From:	Philippe Mathieu-Daudé
Subject:	Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Date:	Mon, 18 Feb 2019 23:10:11 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0

On 2/15/19 11:59 AM, Marc-André Lureau wrote:
> Hi
> 
> On Thu, Feb 14, 2019 at 9:20 PM Philippe Mathieu-Daudé
> <address@hidden> wrote:
>>
>> The right side of the comparison is the return value of can_read():
>> VSCARD_IN_SIZE - card->vscard_in_pos.
>> Since the 'size' argument of chardev::read() is bound to
>> what chardev::can_read() returns, this condition can never happen.
> 
> I think so too, because vscard_in_pos is unchanged between the 2
> callbacks (or set to 0 in break event).
> 
>>
>> Add an assertion, which will always fail if card->vscard_in_pos >=
>> VSCARD_IN_SIZE), since size > 0.
> 
> If "size > VSCARD_IN_SIZE - card->vscard_in_pos" this is a chardev
> bug. But which backend does that?
> 
> Iow, did we ever reach the "no room for data" error?
> 
>>
>> This is a quick fix for CVE-2018-18438 "Integer overflow in
>> ccid_card_vscard_read() allows memory corruption".
> 
> I have a hard time to find how that memory corruption can happen. It
> would be a broken chardev (one calling qemu_chr_be_write() with a size
> bigger than qemu_chr_be_can_write()). It would need to be fixed. But

It will :)

> which one does that?

Arash or Prasad can you help us here? Do you have a reproducer?

>>
>> Fixes: CVE-2018-18438
>> Reported-by: Arash Tohidi Chafi <address@hidden>
>> Suggested-by: Paolo Bonzini <address@hidden>
>> Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
>> ---
>>  hw/usb/ccid-card-passthru.c | 14 +-------------
>>  1 file changed, 1 insertion(+), 13 deletions(-)
>>
>> diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
>> index 8bb1314f49..1676b5fc05 100644
>> --- a/hw/usb/ccid-card-passthru.c
>> +++ b/hw/usb/ccid-card-passthru.c
>> @@ -264,24 +264,12 @@ static void 
>> ccid_card_vscard_handle_message(PassthruState *card,
>>      }
>>  }
>>
>> -static void ccid_card_vscard_drop_connection(PassthruState *card)
>> -{
>> -    qemu_chr_fe_deinit(&card->cs, true);
>> -    card->vscard_in_pos = card->vscard_in_hdr = 0;
>> -}
>> -
>>  static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, int 
>> size)
>>  {
>>      PassthruState *card = opaque;
>>      VSCMsgHeader *hdr;
>>
>> -    if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
>> -        error_report("no room for data: pos %u +  size %d > %" PRId64 "."
>> -                     " dropping connection.",
>> -                     card->vscard_in_pos, size, VSCARD_IN_SIZE);
>> -        ccid_card_vscard_drop_connection(card);
>> -        return;
>> -    }
>> +    assert(size <= VSCARD_IN_SIZE - card->vscard_in_pos);
>>      assert(card->vscard_in_hdr < VSCARD_IN_SIZE);
>>      memcpy(card->vscard_in_data + card->vscard_in_pos, buf, size);
>>      card->vscard_in_pos += size;
>> --
>> 2.20.1
>>

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v2 0/9] ccid-card-passthru: check buffer size parameter, Philippe Mathieu-Daudé, 2019/02/14
- [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Eric Blake, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Wei Yang, 2019/02/15
  - Re: [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read(), Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Marc-André Lureau, 2019/02/15
    - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Philippe Mathieu-Daudé <=
    - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, P J P, 2019/02/21
    - Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion, Marc-André Lureau, 2019/02/21
- [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression, Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression, Wei Yang, 2019/02/15
  - Re: [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression, Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 4/9] ccid-card-passthru: Let the chardev::read() be more generic, Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 4/9] ccid-card-passthru: Let the chardev::read() be more generic, Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 5/9] ccid-card-passthru: Replace assert() by QEMU_BUILD_BUG_ON(), Philippe Mathieu-Daudé, 2019/02/14
  - Re: [Qemu-devel] [PATCH v2 5/9] ccid-card-passthru: Replace assert() by QEMU_BUILD_BUG_ON(), Marc-André Lureau, 2019/02/15
- [Qemu-devel] [PATCH v2 7/9] ccid-card-passthru: Use QERR_MISSING_PARAMETER, Philippe Mathieu-Daudé, 2019/02/14

Prev by Date: Re: [Qemu-devel] [PATCH v4 1/1] blockdev: acquire aio_context for bitmap add/remove
Next by Date: Re: [Qemu-devel] [PATCH] hw/rdma: another clang compilation fix
Previous by thread: Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Next by thread: Re: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Index(es):
- Date
- Thread