Patchwork [3/3] kvm tools: Add boundry check for rtc cmos index

login
register
mail settings
Submitter Sasha Levin
Date Nov. 29, 2011, 8:35 a.m.
Message ID <1322555735-32163-3-git-send-email-levinsasha928@gmail.com>
Download mbox | patch
Permalink /patch/128235/
State New
Headers show

Comments

Sasha Levin - Nov. 29, 2011, 8:35 a.m.
A guest could overwrite host memory by writing to cmos index bigger than 128.

This patch adds a boundry check to limit it to that size.

Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: rtc-linux@googlegroups.com
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
---
 tools/kvm/hw/rtc.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
Pekka Enberg - Nov. 29, 2011, 1:07 p.m.
On Tue, 29 Nov 2011, Sasha Levin wrote:
> A guest could overwrite host memory by writing to cmos index bigger than 128.
>
> This patch adds a boundry check to limit it to that size.
>
> Cc: Alessandro Zummo <a.zummo@towertech.it>
> Cc: rtc-linux@googlegroups.com
> Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
> ---
> tools/kvm/hw/rtc.c |    4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c
> index fad140f..1471521 100644
> --- a/tools/kvm/hw/rtc.c
> +++ b/tools/kvm/hw/rtc.c
> @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v
> 		ioport__write8(data, bin2bcd(tm->tm_year));
> 		break;
> 	default:
> +		if (rtc.cmos_idx >= 128)
> +			break;
> 		ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]);
> 		break;
> 	}
> @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port,
> 		/* Read-only */
> 		break;
> 	default:
> +		if (rtc.cmos_idx >= 128)
> +			break;
> 		rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data);
> 		break;
> 	}

We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can 
never be over 127.

 			Pekka
Sasha Levin - Nov. 29, 2011, 8:11 p.m.
On Tue, 2011-11-29 at 15:07 +0200, Pekka Enberg wrote:
> On Tue, 29 Nov 2011, Sasha Levin wrote:
> > A guest could overwrite host memory by writing to cmos index bigger than 128.
> >
> > This patch adds a boundry check to limit it to that size.
> >
> > Cc: Alessandro Zummo <a.zummo@towertech.it>
> > Cc: rtc-linux@googlegroups.com
> > Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
> > ---
> > tools/kvm/hw/rtc.c |    4 ++++
> > 1 files changed, 4 insertions(+), 0 deletions(-)
> >
> > diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c
> > index fad140f..1471521 100644
> > --- a/tools/kvm/hw/rtc.c
> > +++ b/tools/kvm/hw/rtc.c
> > @@ -50,6 +50,8 @@ static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v
> > 		ioport__write8(data, bin2bcd(tm->tm_year));
> > 		break;
> > 	default:
> > +		if (rtc.cmos_idx >= 128)
> > +			break;
> > 		ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]);
> > 		break;
> > 	}
> > @@ -65,6 +67,8 @@ static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port,
> > 		/* Read-only */
> > 		break;
> > 	default:
> > +		if (rtc.cmos_idx >= 128)
> > +			break;
> > 		rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data);
> > 		break;
> > 	}
> 
> We always clear highest bit in cmos_ram_index_out() so 'cmos_idx' can 
> never be over 127.

Right. Please ignore this patch :)

Patch

diff --git a/tools/kvm/hw/rtc.c b/tools/kvm/hw/rtc.c
index fad140f..1471521 100644
--- a/tools/kvm/hw/rtc.c
+++ b/tools/kvm/hw/rtc.c
@@ -50,6 +50,8 @@  static bool cmos_ram_data_in(struct ioport *ioport, struct kvm *kvm, u16 port, v
 		ioport__write8(data, bin2bcd(tm->tm_year));
 		break;
 	default:
+		if (rtc.cmos_idx >= 128)
+			break;
 		ioport__write8(data, rtc.cmos_data[rtc.cmos_idx]);
 		break;
 	}
@@ -65,6 +67,8 @@  static bool cmos_ram_data_out(struct ioport *ioport, struct kvm *kvm, u16 port,
 		/* Read-only */
 		break;
 	default:
+		if (rtc.cmos_idx >= 128)
+			break;
 		rtc.cmos_data[rtc.cmos_idx] = ioport__read8(data);
 		break;
 	}