Commit 89554d2f authored by Prasad J Pandit's avatar Prasad J Pandit Committed by zhanghailiang
Browse files

ati-vga: check mm_index before recursive call (CVE-2020-13800) 



While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.

Reported-by: default avatarRen Ding <rding@gatech.edu>
Reported-by: default avatarHanqing Zhao <hanqing@gatech.edu>
Reported-by: default avatarYi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: default avatarBALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: default avatarPhilippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent a1a9d6f9

hw/display/ati.c

+8 −2
Original line number Diff line number Diff line
@@ -261,8 +261,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) 
            if (idx <= s->vga.vram_size - size) {

                val = ldn_le_p(s->vga.vram_ptr + idx, size);

            }

        } else {

        } else if (s->regs.mm_index > MM_DATA + 3) {

            val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);

        } else {

            qemu_log_mask(LOG_GUEST_ERROR,

                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);

        }

        break;

    case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -472,8 +475,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, 
            if (idx <= s->vga.vram_size - size) {

                stn_le_p(s->vga.vram_ptr + idx, size, data);

            }

        } else {

        } else if (s->regs.mm_index > MM_DATA + 3) {

            ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);

        } else {

            qemu_log_mask(LOG_GUEST_ERROR,

                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);

        }

        break;

    case BIOS_0_SCRATCH ... BUS_CNTL - 1: