another invalid memory access, now xen: acpi-cnt

another invalid memory access, now xen: acpi-cnt

[Michael Tokarev]

See https://bugs.launchpad.net/qemu/+bug/1886318 , in particular
the #13 in there (the patch) - I applied this to qemu which crashes
after revert-memory-accept-mismatching-sizes-in-memory_region_access_valid-CVE-2020-13754.patch
when run as the device model for Xen HVM domU.  Here's the output:

invalid size: acpi-cnt addr 0 size: 1
invalid size: acpi-cnt addr 0 size: 1

after this it just dies.

This is another incarnation of LP#1886318 .
What can we do here?

Thanks,

/mjt

Re: another invalid memory access, now xen: acpi-cnt

[Michael Tokarev]

20.07.2020 17:56, Michael Tokarev wrote:
> See https://bugs.launchpad.net/qemu/+bug/1886318 , in particular
> the #13 in there (the patch) - I applied this to qemu which crashes
> after revert-memory-accept-mismatching-sizes-in-memory_region_access_valid-CVE-2020-13754.patch
> when run as the device model for Xen HVM domU.  Here's the output:
> 
> invalid size: acpi-cnt addr 0 size: 1
> invalid size: acpi-cnt addr 0 size: 1
> 
> after this it just dies.
> 
> This is another incarnation of LP#1886318 .
> What can we do here?

This fixes it:

diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 45cbed49abd..2cfb9bdc177 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -602,7 +602,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
 static const MemoryRegionOps acpi_pm_cnt_ops = {
     .read = acpi_pm_cnt_read,
     .write = acpi_pm_cnt_write,
-    .valid.min_access_size = 2,
+    .impl.min_access_size = 2,
+    .valid.min_access_size = 1,
     .valid.max_access_size = 2,
     .endianness = DEVICE_LITTLE_ENDIAN,
 };

But this time it's qemu itself - apparently - who tries to access this register.

/mjt