From patchwork Wed Mar 22 14:55:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pranith Kumar X-Patchwork-Id: 9639127 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D9BDB602CB for ; Wed, 22 Mar 2017 14:56:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB80A2846F for ; Wed, 22 Mar 2017 14:56:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C031528478; Wed, 22 Mar 2017 14:56:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2B6AF2846F for ; Wed, 22 Mar 2017 14:56:37 +0000 (UTC) Received: from localhost ([::1]:51531 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cqhgh-0005pu-Nq for patchwork-qemu-devel@patchwork.kernel.org; Wed, 22 Mar 2017 10:56:35 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41908) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cqhg4-0005pi-R5 for qemu-devel@nongnu.org; Wed, 22 Mar 2017 10:55:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cqhg3-0005LH-RM for qemu-devel@nongnu.org; Wed, 22 Mar 2017 10:55:56 -0400 Received: from mail-yw0-x242.google.com ([2607:f8b0:4002:c05::242]:32921) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cqhg3-0005Ks-BT for qemu-devel@nongnu.org; Wed, 22 Mar 2017 10:55:55 -0400 Received: by mail-yw0-x242.google.com with SMTP id p77so20523658ywg.0 for ; Wed, 22 Mar 2017 07:55:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=kIGHnViGygf0nHkdvJjN04K+7/EvTxJ2KdhRYxXkWYM=; b=FTOFLoOkPeUUtGnc45WyRf2vZAJ9o1M+WANIWW/3/cSkortFHpgb8OK/zYlnK/ruRV jwqH5Js6ZzQUa1uSwZQBPTa0/4hV0p+D+CTbst2h0WYdRs466WIscKnD5UJgP8ICrrYc rruG9Xpv0C+Itq/kIW7ktWcQAIXnrzYFHRWoqLvZeyZuL364p/DhQS/eYodEKBrIBWNy 9N1rl4f/HDYqBRbOpbPppUPMaE7Ve2GV2p6GY/adb+yHqJVmCH2CgSdxK7dgplDWoMhm esewgxZryiGmyeCT66ZVDyoqFSpI7nkW46sLL3bBkplfDPGsqFFsDotyrYFQWS9NawPY Qzpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=kIGHnViGygf0nHkdvJjN04K+7/EvTxJ2KdhRYxXkWYM=; b=gaakjK7xd73XaL/tkobcx2NExyrq9/7HWBr1qAIIe53nlVPqQoWhHeXUgp7shqslof VSDx1Q8Mti+pIP5vI1b44zsUUnJeDgY2asJqOsXCO6qKw0vygSdgZCHfoQKxffpOuMGa wbXDAM3ZFfX3OfoMgWbAaTkNrAOgHwXz8VF+jC7tJktcPBam1HqnBlEYu7LBSlBh3VoP OcT/zTu5xgHUzSErHhUKgpSUw+JiOu7m81nanqS6Qen9qkgMR7/RE1gwfWVfXkr9lP33 Eus6F88SnftNKQT7WNhSpmzLpAxKZmgQ9+DYfw/2dye2SfBVk/gJkwbchiXpO3KRn0ff vhMw== X-Gm-Message-State: AFeK/H3vetVh4cKEku4utAa7sdpcs+1ySeMLaBuzlTo54AMIPAGqI3Z1vQSdMpBgvD89ChPlgvYGNKk0zE5rtQ== X-Received: by 10.129.62.25 with SMTP id l25mr19183975ywa.0.1490194554347; Wed, 22 Mar 2017 07:55:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.52.75 with HTTP; Wed, 22 Mar 2017 07:55:23 -0700 (PDT) In-Reply-To: References: From: Pranith Kumar Date: Wed, 22 Mar 2017 10:55:23 -0400 X-Google-Sender-Auth: nmoxtINRQfE-6kJ-820x-IsFM3k Message-ID: To: Peter Maydell X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2607:f8b0:4002:c05::242 Subject: Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Qemu Developers , Jann Horn Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Mar 20, 2017 at 10:46 AM, Peter Maydell wrote: > On 20 March 2017 at 14:36, Jann Horn wrote: >> This is an issue in QEMU's system emulation for X86 in TCG mode. >> The issue permits an attacker who can execute code in guest ring 3 >> with normal user privileges to inject code into other processes that >> are running in guest ring 3, in particular root-owned processes. > >> I am sending this to qemu-devel because a QEMU security contact >> told me that QEMU does not consider privilege escalation inside a >> TCG VM to be a security concern. > > Correct; it's just a bug. Don't trust TCG QEMU as a security boundary. > > We should really fix the crossing-a-page-boundary code for x86. > I believe we do get it correct for ARM Thumb instructions. How about doing the instruction size check as follows? gen_illegal_opcode(s); Thanks, --- Pranith diff --git a/target/i386/translate.c b/target/i386/translate.c index 72c1b03a2a..94cf3da719 100644 --- a/target/i386/translate.c +++ b/target/i386/translate.c @@ -8235,6 +8235,10 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s, default: goto unknown_op; } + if (s->pc - pc_start > 15) { + s->pc = pc_start; + goto illegal_op; + } return s->pc; illegal_op: