msix: add valid.accepts methods to check address

Fix CVE-2020-13754 While doing msi-x mmio operations, a guest may send an address that leads to an OOB access issue. Add valid.accepts methods to ensure that ensuing mmio r/w operation don't go beyond regions. Reported-by: Ren Ding <rding@gatech.edu> Reported-by: Hanqing Zhao <hanqing@gatech.edu> Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> patch link: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00004.html Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
2021-02-19 16:28:00 +08:00 · 2021-02-19 16:28:00 +08:00 · bd0d09f113
commit bd0d09f113
parent 03ac057064
1 changed files with 78 additions and 0 deletions
--- a/msix-add-valid.accepts-methods-to-check-address.patch
+++ b/msix-add-valid.accepts-methods-to-check-address.patch
@ -0,0 +1,78 @@
 From e9cc24b1737f745b23c408b183dd34fda5abc30c Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Fri, 19 Feb 2021 16:28:00 +0800
 Subject: [PATCH] msix: add valid.accepts methods to check address
 Fix CVE-2020-13754
 While doing msi-x mmio operations, a guest may send an address
 that leads to an OOB access issue. Add valid.accepts methods to
 ensure that ensuing mmio r/w operation don't go beyond regions.
 Reported-by: Ren Ding <rding@gatech.edu>
 Reported-by: Hanqing Zhao <hanqing@gatech.edu>
 Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
 Reported-by: Alexander Bulekov <alxndr@bu.edu>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 patch link: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00004.html
 Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
 ---
 hw/pci/msix.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 diff --git a/hw/pci/msix.c b/hw/pci/msix.c
 index d39dcf32e8..ec43f16875 100644
 --- a/hw/pci/msix.c
 +++ b/hw/pci/msix.c
@@ -192,6 +192,15 @@ static void msix_table_mmio_write(void *opaque, hwaddr addr,
     msix_handle_mask_update(dev, vector, was_masked);
 }
 +static bool msix_table_accepts(void *opaque, hwaddr addr, unsigned size,
 +                                    bool is_write, MemTxAttrs attrs)
 +{
 +    PCIDevice *dev = opaque;
 +    uint16_t tbl_size = dev->msix_entries_nr * PCI_MSIX_ENTRY_SIZE;
 +
 +    return dev->msix_table + addr + 4 <= dev->msix_table + tbl_size;
 +}
 +
 static const MemoryRegionOps msix_table_mmio_ops = {
     .read = msix_table_mmio_read,
     .write = msix_table_mmio_write,
@@ -199,6 +208,7 @@ static const MemoryRegionOps msix_table_mmio_ops = {
     .valid = {
         .min_access_size = 4,
         .max_access_size = 4,
 +        .accepts = msix_table_accepts
     },
 };
@@ -220,6 +230,15 @@ static void msix_pba_mmio_write(void *opaque, hwaddr addr,
 {
 }
 +static bool msix_pba_accepts(void *opaque, hwaddr addr, unsigned size,
 +                                    bool is_write, MemTxAttrs attrs)
 +{
 +    PCIDevice *dev = opaque;
 +    uint16_t pba_size = QEMU_ALIGN_UP(dev->msix_entries_nr, 64) / 8;
 +
 +    return dev->msix_pba + addr + 4 <= dev->msix_pba + pba_size;
 +}
 +
 static const MemoryRegionOps msix_pba_mmio_ops = {
     .read = msix_pba_mmio_read,
     .write = msix_pba_mmio_write,
@@ -227,6 +246,7 @@ static const MemoryRegionOps msix_pba_mmio_ops = {
     .valid = {
         .min_access_size = 4,
         .max_access_size = 4,
 +        .accepts = msix_pba_accepts
     },
 };
 -- 
 2.27.0