From: "Philippe Mathieu-Daudé via" <qemu-devel@nongnu.org>
To: qemu-devel@nongnu.org
Cc: "Cameron Esfahani" <dirty@apple.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Will Cohen" <wwcohen@gmail.com>,
"Akihiko Odaki" <akihiko.odaki@gmail.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
"Roman Bolshakov" <r.bolshakov@yadro.com>,
"Li Zhang" <lizhang@suse.de>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode
Date: Fri, 11 Feb 2022 17:34:26 +0100 [thread overview]
Message-ID: <20220211163434.58423-6-f4bug@amsat.org> (raw)
In-Reply-To: <20220211163434.58423-1-f4bug@amsat.org>
From: Cameron Esfahani <dirty@apple.com>
A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory. Add additional asserts
to check for this. Generate a #UD if there are more than 14 prefix bytes.
Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>
Signed-off-by: Cameron Esfahani <dirty@apple.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
target/i386/hvf/x86_decode.c | 11 +++++++++--
target/i386/hvf/x86hvf.c | 8 ++++++++
target/i386/hvf/x86hvf.h | 1 +
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/target/i386/hvf/x86_decode.c b/target/i386/hvf/x86_decode.c
index 062713b1a4..fbaf1813e8 100644
--- a/target/i386/hvf/x86_decode.c
+++ b/target/i386/hvf/x86_decode.c
@@ -24,6 +24,7 @@
#include "vmx.h"
#include "x86_mmu.h"
#include "x86_descr.h"
+#include "x86hvf.h"
#define OPCODE_ESCAPE 0xf
@@ -541,7 +542,8 @@ static void decode_lidtgroup(CPUX86State *env, struct x86_decode *decode)
};
decode->cmd = group[decode->modrm.reg];
if (0xf9 == decode->modrm.modrm) {
- decode->opcode[decode->len++] = decode->modrm.modrm;
+ VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
+ decode->opcode[decode->opcode_len++] = decode->modrm.modrm;
decode->cmd = X86_DECODE_CMD_RDTSCP;
}
}
@@ -1847,7 +1849,8 @@ void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode,
static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
{
- while (1) {
+ /* At most 14 prefix bytes. */
+ for (int i = 0; i < 14; i++) {
/*
* REX prefix must come after legacy prefixes.
* REX before legacy is ignored.
@@ -1892,6 +1895,8 @@ static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
return;
}
}
+ /* Too many prefixes! Generate #UD. */
+ hvf_inject_ud(env);
}
void set_addressing_size(CPUX86State *env, struct x86_decode *decode)
@@ -2090,11 +2095,13 @@ static void decode_opcodes(CPUX86State *env, struct x86_decode *decode)
uint8_t opcode;
opcode = decode_byte(env, decode);
+ VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
decode->opcode[decode->opcode_len++] = opcode;
if (opcode != OPCODE_ESCAPE) {
decode_opcode_1(env, decode, opcode);
} else {
opcode = decode_byte(env, decode);
+ VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
decode->opcode[decode->opcode_len++] = opcode;
decode_opcode_2(env, decode, opcode);
}
diff --git a/target/i386/hvf/x86hvf.c b/target/i386/hvf/x86hvf.c
index 05ec1bddc4..a805c125d9 100644
--- a/target/i386/hvf/x86hvf.c
+++ b/target/i386/hvf/x86hvf.c
@@ -425,6 +425,14 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
& (CPU_INTERRUPT_INIT | CPU_INTERRUPT_TPR));
}
+void hvf_inject_ud(CPUX86State *env)
+{
+ env->exception_nr = EXCP06_ILLOP;
+ env->exception_injected = 1;
+ env->has_error_code = false;
+ env->error_code = 0;
+}
+
int hvf_process_events(CPUState *cpu_state)
{
X86CPU *cpu = X86_CPU(cpu_state);
diff --git a/target/i386/hvf/x86hvf.h b/target/i386/hvf/x86hvf.h
index 99ed8d608d..ef472a32f9 100644
--- a/target/i386/hvf/x86hvf.h
+++ b/target/i386/hvf/x86hvf.h
@@ -22,6 +22,7 @@
int hvf_process_events(CPUState *);
bool hvf_inject_interrupts(CPUState *);
+void hvf_inject_ud(CPUX86State *);
void hvf_set_segment(struct CPUState *cpu, struct vmx_segment *vmx_seg,
SegmentCache *qseg, bool is_tr);
void hvf_get_segment(SegmentCache *qseg, struct vmx_segment *vmx_seg);
--
2.34.1
next prev parent reply other threads:[~2022-02-11 16:41 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 16:34 [PATCH v4 00/13] host: Support macOS 12 Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 01/13] lcitool: refresh Philippe Mathieu-Daudé via
2022-02-12 15:14 ` Akihiko Odaki
2022-02-14 12:10 ` Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 02/13] configure: Allow passing extra Objective C compiler flags Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 03/13] tests/fp/berkeley-testfloat-3: Ignore ignored #pragma directives Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 04/13] hvf: Use standard CR0 and CR4 register definitions Philippe Mathieu-Daudé via
2022-02-11 16:34 ` Philippe Mathieu-Daudé via [this message]
2022-02-14 12:49 ` [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 06/13] hvf: Enable RDTSCP support Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 07/13] hvf: Make hvf_get_segments() / hvf_put_segments() local Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 08/13] hvf: Remove deprecated hv_vcpu_flush() calls Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 09/13] block/file-posix: Remove a deprecation warning on macOS 12 Philippe Mathieu-Daudé via
2022-02-12 13:35 ` Christian Schoenebeck
2022-02-14 3:27 ` Cameron Esfahani
2022-02-11 16:34 ` [PATCH v4 10/13] audio/coreaudio: " Philippe Mathieu-Daudé via
2022-02-12 13:15 ` Christian Schoenebeck
2022-02-12 15:23 ` Akihiko Odaki
2022-02-12 17:27 ` Christian Schoenebeck
2022-02-12 17:41 ` Christian Schoenebeck
2022-02-14 12:43 ` Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 11/13] audio/dbus: Fix building with modules on macOS Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 12/13] ui/cocoa: Remove allowedFileTypes restriction in SavePanel Philippe Mathieu-Daudé via
2022-02-12 13:25 ` Christian Schoenebeck
2022-02-14 3:26 ` Cameron Esfahani
2022-02-11 16:34 ` [PATCH v4 13/13] gitlab-ci: Support macOS 12 via cirrus-run Philippe Mathieu-Daudé via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220211163434.58423-6-f4bug@amsat.org \
--to=qemu-devel@nongnu.org \
--cc=akihiko.odaki@gmail.com \
--cc=alex.bennee@linaro.org \
--cc=dirty@apple.com \
--cc=f4bug@amsat.org \
--cc=lizhang@suse.de \
--cc=peter.maydell@linaro.org \
--cc=qemu_oss@crudebyte.com \
--cc=r.bolshakov@yadro.com \
--cc=wwcohen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.