[v7,06/22] hvf: Fix OOB write in RDTSCP instruction decode

Message ID	20220306231753.50277-7-philippe.mathieu.daude@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philippe.mathieu.daude@gmail.com> To: qemu-devel@nongnu.org Subject: [PATCH v7 06/22] hvf: Fix OOB write in RDTSCP instruction decode Date: Mon, 7 Mar 2022 00:17:37 +0100 Message-Id: <20220306231753.50277-7-philippe.mathieu.daude@gmail.com> In-Reply-To: <20220306231753.50277-1-philippe.mathieu.daude@gmail.com> References: <20220306231753.50277-1-philippe.mathieu.daude@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-x42c.google.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Cc: Peter Maydell <peter.maydell@linaro.org>, Thomas Huth <thuth@redhat.com>, qemu-block@nongnu.org, Christian Schoenebeck <qemu_oss@crudebyte.com>, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>, Cameron Esfahani <dirty@apple.com>, Roman Bolshakov <r.bolshakov@yadro.com>, Will Cohen <wwcohen@gmail.com>, Gerd Hoffmann <kraxel@redhat.com>, Akihiko Odaki <akihiko.odaki@gmail.com>, =?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	host: Support macOS 12 \| expand [v7,00/22] host: Support macOS 12 [v7,01/22] configure: Allow passing extra Objective C compiler flags [v7,02/22] tests/fp/berkeley-testfloat-3: Ignore ignored #pragma directives [v7,03/22] hvf: Use standard CR0 and CR4 register definitions [v7,04/22] hvf: Make hvf_get_segments() / hvf_put_segments() local [v7,05/22] hvf: Remove deprecated hv_vcpu_flush() calls [v7,06/22] hvf: Fix OOB write in RDTSCP instruction decode [v7,07/22] block/file-posix: Remove a deprecation warning on macOS 12 [v7,08/22] audio/coreaudio: Remove a deprecation warning on macOS 12 [v7,09/22] audio/dbus: Fix building with modules on macOS [v7,10/22] audio: Log context for audio bug [v7,11/22] coreaudio: Always return 0 in handle_voice_change [v7,12/22] audio: Rename coreaudio extension to use Objective-C compiler [v7,13/22] osdep: Avoid using Clang-specific __builtin_available() [v7,14/22] meson: Resolve the entitlement.sh script once for good [v7,15/22] meson: Log QEMU_CXXFLAGS content in summary [v7,16/22] configure: Pass filtered QEMU_OBJCFLAGS to meson [v7,17/22] ui/cocoa: Constify qkeycode translation arrays [v7,18/22] ui/cocoa: add option to disable left-command forwarding to guest [v7,19/22] ui/cocoa: release mouse when user switches away from QEMU window [v7,20/22] ui/cocoa: capture all keys and combos when mouse is grabbed [v7,21/22] ui/cocoa: add option to swap Option and Command [v7,22/22] gitlab-ci: Support macOS 12 via cirrus-run

Message ID

20220306231753.50277-7-philippe.mathieu.daude@gmail.com (mailing list archive)

State

New, archived

Headers

From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
To: qemu-devel@nongnu.org
Subject: [PATCH v7 06/22] hvf: Fix OOB write in RDTSCP instruction decode
Date: Mon,  7 Mar 2022 00:17:37 +0100
Message-Id: <20220306231753.50277-7-philippe.mathieu.daude@gmail.com>
In-Reply-To: <20220306231753.50277-1-philippe.mathieu.daude@gmail.com>
References: <20220306231753.50277-1-philippe.mathieu.daude@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::42c;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-x42c.google.com
X-Spam_score_int: -6
X-Spam_score: -0.7
X-Spam_bar: /
X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Maydell <peter.maydell@linaro.org>, Thomas Huth <thuth@redhat.com>,
 qemu-block@nongnu.org, Christian Schoenebeck <qemu_oss@crudebyte.com>,
	=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
 Cameron Esfahani <dirty@apple.com>, Roman Bolshakov <r.bolshakov@yadro.com>,
 Will Cohen <wwcohen@gmail.com>, Gerd Hoffmann <kraxel@redhat.com>,
 Akihiko Odaki <akihiko.odaki@gmail.com>,
 =?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

host: Support macOS 12 | expand

Commit Message

Philippe Mathieu-Daudé March 6, 2022, 11:17 p.m. UTC

From: Cameron Esfahani <dirty@apple.com>

A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory.  Add additional asserts
to check for this.  Generate a #UD if there are more than 14 prefix bytes.

Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>

Signed-off-by: Cameron Esfahani <dirty@apple.com>
Message-Id: <20220219063831.35356-1-dirty@apple.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 target/i386/hvf/x86_decode.c | 12 ++++++++++--
 target/i386/hvf/x86hvf.c     |  8 ++++++++
 target/i386/hvf/x86hvf.h     |  1 +
 3 files changed, 19 insertions(+), 2 deletions(-)

Comments

Philippe Mathieu-Daudé March 9, 2022, 10:20 a.m. UTC | #1

Hi Paolo,

I forgot to Cc you. Could you Ack this patch?

On 7/3/22 00:17, Philippe Mathieu-Daudé wrote:
> From: Cameron Esfahani <dirty@apple.com>
> 
> A guest could craft a specific stream of instructions that will have QEMU
> write 0xF9 to inappropriate locations in memory.  Add additional asserts
> to check for this.  Generate a #UD if there are more than 14 prefix bytes.
> 
> Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>
> 
> Signed-off-by: Cameron Esfahani <dirty@apple.com>
> Message-Id: <20220219063831.35356-1-dirty@apple.com>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>   target/i386/hvf/x86_decode.c | 12 ++++++++++--
>   target/i386/hvf/x86hvf.c     |  8 ++++++++
>   target/i386/hvf/x86hvf.h     |  1 +
>   3 files changed, 19 insertions(+), 2 deletions(-)
> 
> diff --git a/target/i386/hvf/x86_decode.c b/target/i386/hvf/x86_decode.c
> index 062713b1a4..5d051252b4 100644
> --- a/target/i386/hvf/x86_decode.c
> +++ b/target/i386/hvf/x86_decode.c
> @@ -24,8 +24,10 @@
>   #include "vmx.h"
>   #include "x86_mmu.h"
>   #include "x86_descr.h"
> +#include "x86hvf.h"
>   
>   #define OPCODE_ESCAPE   0xf
> +#define X86_MAX_INSN_PREFIX_LENGTH (14)
>   
>   static void decode_invalid(CPUX86State *env, struct x86_decode *decode)
>   {
> @@ -541,7 +543,8 @@ static void decode_lidtgroup(CPUX86State *env, struct x86_decode *decode)
>       };
>       decode->cmd = group[decode->modrm.reg];
>       if (0xf9 == decode->modrm.modrm) {
> -        decode->opcode[decode->len++] = decode->modrm.modrm;
> +        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
> +        decode->opcode[decode->opcode_len++] = decode->modrm.modrm;
>           decode->cmd = X86_DECODE_CMD_RDTSCP;
>       }
>   }
> @@ -1847,7 +1850,8 @@ void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode,
>   
>   static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
>   {
> -    while (1) {
> +    /* At most X86_MAX_INSN_PREFIX_LENGTH prefix bytes. */
> +    for (int i = 0; i < X86_MAX_INSN_PREFIX_LENGTH; i++) {
>           /*
>            * REX prefix must come after legacy prefixes.
>            * REX before legacy is ignored.
> @@ -1892,6 +1896,8 @@ static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
>               return;
>           }
>       }
> +    /* Too many prefixes!  Generate #UD. */
> +    hvf_inject_ud(env);
>   }
>   
>   void set_addressing_size(CPUX86State *env, struct x86_decode *decode)
> @@ -2090,11 +2096,13 @@ static void decode_opcodes(CPUX86State *env, struct x86_decode *decode)
>       uint8_t opcode;
>   
>       opcode = decode_byte(env, decode);
> +    VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
>       decode->opcode[decode->opcode_len++] = opcode;
>       if (opcode != OPCODE_ESCAPE) {
>           decode_opcode_1(env, decode, opcode);
>       } else {
>           opcode = decode_byte(env, decode);
> +        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
>           decode->opcode[decode->opcode_len++] = opcode;
>           decode_opcode_2(env, decode, opcode);
>       }
> diff --git a/target/i386/hvf/x86hvf.c b/target/i386/hvf/x86hvf.c
> index bec9fc5814..a338c207b7 100644
> --- a/target/i386/hvf/x86hvf.c
> +++ b/target/i386/hvf/x86hvf.c
> @@ -423,6 +423,14 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
>               & (CPU_INTERRUPT_INIT | CPU_INTERRUPT_TPR));
>   }
>   
> +void hvf_inject_ud(CPUX86State *env)
> +{
> +    env->exception_nr = EXCP06_ILLOP;
> +    env->exception_injected = 1;
> +    env->has_error_code = false;
> +    env->error_code = 0;
> +}
> +
>   int hvf_process_events(CPUState *cpu_state)
>   {
>       X86CPU *cpu = X86_CPU(cpu_state);
> diff --git a/target/i386/hvf/x86hvf.h b/target/i386/hvf/x86hvf.h
> index db6003d6bd..427cdc1c13 100644
> --- a/target/i386/hvf/x86hvf.h
> +++ b/target/i386/hvf/x86hvf.h
> @@ -22,6 +22,7 @@
>   
>   int hvf_process_events(CPUState *);
>   bool hvf_inject_interrupts(CPUState *);
> +void hvf_inject_ud(CPUX86State *);
>   void hvf_set_segment(struct CPUState *cpu, struct vmx_segment *vmx_seg,
>                        SegmentCache *qseg, bool is_tr);
>   void hvf_get_segment(SegmentCache *qseg, struct vmx_segment *vmx_seg);

Peter Maydell March 15, 2022, 12:58 p.m. UTC | #2

On Wed, 9 Mar 2022 at 10:20, Philippe Mathieu-Daudé
<philippe.mathieu.daude@gmail.com> wrote:
>
> Hi Paolo,
>
> I forgot to Cc you. Could you Ack this patch?

I had review comments on the version of this patch in v5 which
still need to be addressed:

https://lore.kernel.org/qemu-devel/CAFEAcA8yaBOD3KXc-DY94oqzC5wkCENPkePgVCybqR=9NmdQFQ@mail.gmail.com/

thanks
-- PMM

Philippe Mathieu-Daudé March 15, 2022, 1 p.m. UTC | #3

On 15/3/22 13:58, Peter Maydell wrote:
> On Wed, 9 Mar 2022 at 10:20, Philippe Mathieu-Daudé
> <philippe.mathieu.daude@gmail.com> wrote:
>>
>> Hi Paolo,
>>
>> I forgot to Cc you. Could you Ack this patch?
> 
> I had review comments on the version of this patch in v5 which
> still need to be addressed:
> 
> https://lore.kernel.org/qemu-devel/CAFEAcA8yaBOD3KXc-DY94oqzC5wkCENPkePgVCybqR=9NmdQFQ@mail.gmail.com/

Thanks for pointing at your comments, I totally missed them.

I'll let Cameron address them.

Regards,

Phil.

diff --git a/target/i386/hvf/x86_decode.c b/target/i386/hvf/x86_decode.c
index 062713b1a4..5d051252b4 100644
--- a/target/i386/hvf/x86_decode.c
+++ b/target/i386/hvf/x86_decode.c
@@ -24,8 +24,10 @@ 
 #include "vmx.h"
 #include "x86_mmu.h"
 #include "x86_descr.h"
+#include "x86hvf.h"
 
 #define OPCODE_ESCAPE   0xf
+#define X86_MAX_INSN_PREFIX_LENGTH (14)
 
 static void decode_invalid(CPUX86State *env, struct x86_decode *decode)
 {
@@ -541,7 +543,8 @@  static void decode_lidtgroup(CPUX86State *env, struct x86_decode *decode)
     };
     decode->cmd = group[decode->modrm.reg];
     if (0xf9 == decode->modrm.modrm) {
-        decode->opcode[decode->len++] = decode->modrm.modrm;
+        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
+        decode->opcode[decode->opcode_len++] = decode->modrm.modrm;
         decode->cmd = X86_DECODE_CMD_RDTSCP;
     }
 }
@@ -1847,7 +1850,8 @@  void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode,
 
 static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
 {
-    while (1) {
+    /* At most X86_MAX_INSN_PREFIX_LENGTH prefix bytes. */
+    for (int i = 0; i < X86_MAX_INSN_PREFIX_LENGTH; i++) {
         /*
          * REX prefix must come after legacy prefixes.
          * REX before legacy is ignored.
@@ -1892,6 +1896,8 @@  static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
             return;
         }
     }
+    /* Too many prefixes!  Generate #UD. */
+    hvf_inject_ud(env);
 }
 
 void set_addressing_size(CPUX86State *env, struct x86_decode *decode)
@@ -2090,11 +2096,13 @@  static void decode_opcodes(CPUX86State *env, struct x86_decode *decode)
     uint8_t opcode;
 
     opcode = decode_byte(env, decode);
+    VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
     decode->opcode[decode->opcode_len++] = opcode;
     if (opcode != OPCODE_ESCAPE) {
         decode_opcode_1(env, decode, opcode);
     } else {
         opcode = decode_byte(env, decode);
+        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
         decode->opcode[decode->opcode_len++] = opcode;
         decode_opcode_2(env, decode, opcode);
     }
diff --git a/target/i386/hvf/x86hvf.c b/target/i386/hvf/x86hvf.c
index bec9fc5814..a338c207b7 100644
--- a/target/i386/hvf/x86hvf.c
+++ b/target/i386/hvf/x86hvf.c
@@ -423,6 +423,14 @@  bool hvf_inject_interrupts(CPUState *cpu_state)
             & (CPU_INTERRUPT_INIT | CPU_INTERRUPT_TPR));
 }
 
+void hvf_inject_ud(CPUX86State *env)
+{
+    env->exception_nr = EXCP06_ILLOP;
+    env->exception_injected = 1;
+    env->has_error_code = false;
+    env->error_code = 0;
+}
+
 int hvf_process_events(CPUState *cpu_state)
 {
     X86CPU *cpu = X86_CPU(cpu_state);
diff --git a/target/i386/hvf/x86hvf.h b/target/i386/hvf/x86hvf.h
index db6003d6bd..427cdc1c13 100644
--- a/target/i386/hvf/x86hvf.h
+++ b/target/i386/hvf/x86hvf.h
@@ -22,6 +22,7 @@ 
 
 int hvf_process_events(CPUState *);
 bool hvf_inject_interrupts(CPUState *);
+void hvf_inject_ud(CPUX86State *);
 void hvf_set_segment(struct CPUState *cpu, struct vmx_segment *vmx_seg,
                      SegmentCache *qseg, bool is_tr);
 void hvf_get_segment(SegmentCache *qseg, struct vmx_segment *vmx_seg);

[v7,06/22] hvf: Fix OOB write in RDTSCP instruction decode

Commit Message

Comments

Patch