* [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
@ 2021-02-03 5:20 P J P
2021-02-03 5:21 ` [Bug 1914353] " P J P
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: P J P @ 2021-02-03 5:20 UTC (permalink / raw)
To: qemu-devel
*** This bug is a security vulnerability ***
Public security bug reported:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
** Affects: qemu
Importance: Undecided
Status: New
** Tags: cve security
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353
Title:
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Status in QEMU:
New
Bug description:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
2021-02-03 5:20 [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID P J P
@ 2021-02-03 5:21 ` P J P
2021-02-03 5:45 ` P J P
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: P J P @ 2021-02-03 5:21 UTC (permalink / raw)
To: qemu-devel
Upstream patch:
-> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00709.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353
Title:
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Status in QEMU:
New
Bug description:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
2021-02-03 5:20 [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID P J P
2021-02-03 5:21 ` [Bug 1914353] " P J P
@ 2021-02-03 5:45 ` P J P
2021-02-03 9:56 ` P J P
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: P J P @ 2021-02-03 5:45 UTC (permalink / raw)
To: qemu-devel
CVE requested.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353
Title:
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Status in QEMU:
New
Bug description:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
2021-02-03 5:20 [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID P J P
2021-02-03 5:21 ` [Bug 1914353] " P J P
2021-02-03 5:45 ` P J P
@ 2021-02-03 9:56 ` P J P
2021-02-03 16:42 ` Alexander Bulekov
2021-04-30 8:16 ` Thomas Huth
4 siblings, 0 replies; 6+ messages in thread
From: P J P @ 2021-02-03 9:56 UTC (permalink / raw)
To: qemu-devel
'CVE-2021-20221' assigned by Red Hat Inc.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20221
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353
Title:
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Status in QEMU:
New
Bug description:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
2021-02-03 5:20 [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID P J P
` (2 preceding siblings ...)
2021-02-03 9:56 ` P J P
@ 2021-02-03 16:42 ` Alexander Bulekov
2021-04-30 8:16 ` Thomas Huth
4 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-02-03 16:42 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353
Title:
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Status in QEMU:
Fix Committed
Bug description:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1914353] Re: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
2021-02-03 5:20 [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID P J P
` (3 preceding siblings ...)
2021-02-03 16:42 ` Alexander Bulekov
@ 2021-04-30 8:16 ` Thomas Huth
4 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-04-30 8:16 UTC (permalink / raw)
To: qemu-devel
Fix has been included here:
https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bd
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914353
Title:
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
Status in QEMU:
Fix Released
Bug description:
Via [qemu-security] list
+-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
| > Per the ARM Generic Interrupt Controller Architecture specification
| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
| > not 10:
| >
| > - Table 4-21 GICD_SGIR bit assignments
| >
| > The Interrupt ID of the SGI to forward to the specified CPU
| > interfaces. The value of this field is the Interrupt ID, in
| > the range 0-15, for example a value of 0b0011 specifies
| > Interrupt ID 3.
| >
...
| > Correct the irq mask to fix an undefined behavior (which eventually
| > lead to a heap-buffer-overflow, see [Buglink]):
| >
| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
| > [I 1612088147.116987] OPENED
| > [R +0.278293] writel 0x8000f00 0xff4affb0
| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
| >
| > Cc: qemu-stable@nongnu.org
| > Fixes: 9ee6e8bb853 ("ARMv7 support.")
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
...
On 210202 1221, Peter Maydell wrote:
> In both cases the overrun is on the first writel to 0x8000f00,
> but the fuzzer has for some reason not reported that but instead
> blundered on until it happens to trigger some other issue that
> resulted from the memory corruption it induced with the first write.
>
...
> On the CVE:
>
> Since this can affect systems using KVM, this is a security bug for
> us. However, it only affects an uncommon configuration:
> you are only vulnerable if you are using "kernel-irqchip=off"
> (the default is 'on', and turning it off is an odd thing to do).
>
> thanks
> -- PMM
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-04-30 8:37 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-03 5:20 [Bug 1914353] [NEW] QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID P J P
2021-02-03 5:21 ` [Bug 1914353] " P J P
2021-02-03 5:45 ` P J P
2021-02-03 9:56 ` P J P
2021-02-03 16:42 ` Alexander Bulekov
2021-04-30 8:16 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).