Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/810859/?format=api
{ "id": 810859, "url": "http://patchwork.ozlabs.org/api/patches/810859/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170907063256.7418-1-ppandit@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170907063256.7418-1-ppandit@redhat.com>", "list_archive_url": null, "date": "2017-09-07T06:32:56", "name": "[v1] multiboot: validate multiboot header address values", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "1a045dada1382b932510515333d013ebecc3db68", "submitter": { "id": 67408, "url": "http://patchwork.ozlabs.org/api/people/67408/?format=api", "name": "Prasad Pandit", "email": "ppandit@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170907063256.7418-1-ppandit@redhat.com/mbox/", "series": [ { "id": 1914, "url": "http://patchwork.ozlabs.org/api/series/1914/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=1914", "date": "2017-09-07T06:32:56", "name": "[v1] multiboot: validate multiboot header address values", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/1914/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/810859/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/810859/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)", "ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com", "ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=ppandit@redhat.com" ], "Received": [ "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xnrHx0LMzz9s82\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 7 Sep 2017 16:33:30 +1000 (AEST)", "from localhost ([::1]:39004 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dpqNS-0003RE-Lk\n\tfor incoming@patchwork.ozlabs.org; Thu, 07 Sep 2017 02:33:26 -0400", "from eggs.gnu.org ([2001:4830:134:3::10]:50583)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <ppandit@redhat.com>) id 1dpqN9-0003R8-2k\n\tfor qemu-devel@nongnu.org; Thu, 07 Sep 2017 02:33:08 -0400", "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <ppandit@redhat.com>) id 1dpqN5-0001OK-VZ\n\tfor qemu-devel@nongnu.org; Thu, 07 Sep 2017 02:33:07 -0400", "from mx1.redhat.com ([209.132.183.28]:57460)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <ppandit@redhat.com>) id 1dpqN5-0001O7-Q2\n\tfor qemu-devel@nongnu.org; Thu, 07 Sep 2017 02:33:03 -0400", "from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 8AE4D8046A;\n\tThu, 7 Sep 2017 06:33:02 +0000 (UTC)", "from javelin.redhat.com (ovpn-204-88.brq.redhat.com [10.40.204.88])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id C942918817;\n\tThu, 7 Sep 2017 06:32:59 +0000 (UTC)" ], "DMARC-Filter": "OpenDMARC Filter v1.3.2 mx1.redhat.com 8AE4D8046A", "From": "P J P <ppandit@redhat.com>", "To": "Qemu Developers <qemu-devel@nongnu.org>", "Date": "Thu, 7 Sep 2017 12:02:56 +0530", "Message-Id": "<20170907063256.7418-1-ppandit@redhat.com>", "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.12", "X-Greylist": "Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.28]);\n\tThu, 07 Sep 2017 06:33:02 +0000 (UTC)", "X-detected-operating-system": "by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]", "X-Received-From": "209.132.183.28", "Subject": "[Qemu-devel] [PATCH v1] multiboot: validate multiboot header\n\taddress values", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.21", "Precedence": "list", "List-Id": "<qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Cc": "Paolo Bonzini <pbonzini@redhat.com>,\n\tPrasad J Pandit <pjp@fedoraproject.org>,\n\tEduardo Habkost <ehabkost@redhat.com>,\n\tThomas Garnier <thgarnie@google.com>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>" }, "content": "From: Prasad J Pandit <pjp@fedoraproject.org>\n\nWhile loading kernel via multiboot-v1 image, (flags & 0x00010000)\nindicates that multiboot header contains valid addresses to load\nthe kernel image. These addresses are used to compute kernel\nsize and kernel text offset in the OS image. Validate these\naddress values to avoid an OOB access issue.\n\nThis is CVE-2017-14167.\n\nReported-by: Thomas Garnier <thgarnie@google.com>\nSigned-off-by: Prasad J Pandit <pjp@fedoraproject.org>\n---\n hw/i386/multiboot.c | 19 +++++++++++++++++++\n 1 file changed, 19 insertions(+)\n\nUpdate: add CVE-ID to the commit message.", "diff": "diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c\nindex 6001f4caa2..c7b70c91d5 100644\n--- a/hw/i386/multiboot.c\n+++ b/hw/i386/multiboot.c\n@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,\n uint32_t mh_header_addr = ldl_p(header+i+12);\n uint32_t mh_load_end_addr = ldl_p(header+i+20);\n uint32_t mh_bss_end_addr = ldl_p(header+i+24);\n+\n mh_load_addr = ldl_p(header+i+16);\n+ if (mh_header_addr < mh_load_addr) {\n+ fprintf(stderr, \"invalid mh_load_addr address\\n\");\n+ exit(1);\n+ }\n+\n uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);\n uint32_t mb_load_size = 0;\n mh_entry_addr = ldl_p(header+i+28);\n \n if (mh_load_end_addr) {\n+ if (mh_bss_end_addr < mh_load_addr) {\n+ fprintf(stderr, \"invalid mh_bss_end_addr address\\n\");\n+ exit(1);\n+ }\n mb_kernel_size = mh_bss_end_addr - mh_load_addr;\n+\n+ if (mh_load_end_addr < mh_load_addr) {\n+ fprintf(stderr, \"invalid mh_load_end_addr address\\n\");\n+ exit(1);\n+ }\n mb_load_size = mh_load_end_addr - mh_load_addr;\n } else {\n+ if (kernel_file_size < mb_kernel_text_offset) {\n+ fprintf(stderr, \"invalid kernel_file_size\\n\");\n+ exit(1);\n+ }\n mb_kernel_size = kernel_file_size - mb_kernel_text_offset;\n mb_load_size = mb_kernel_size;\n }\n", "prefixes": [ "v1" ] }