diff mbox series

hvf: Fix OOB write in RDTSCP instruction decode

Message ID 20211030000232.2019-1-dirty@apple.com
State New
Headers show
Series hvf: Fix OOB write in RDTSCP instruction decode | expand

Commit Message

Cameron Esfahani Oct. 30, 2021, 12:02 a.m. UTC 
A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory.  Add additional asserts
to check for this.  Generate a #UD if there are more than 14 prefix bytes.

Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>

Signed-off-by: Cameron Esfahani <dirty@apple.com>
---
 target/i386/hvf/x86_decode.c | 11 +++++++++--
 target/i386/hvf/x86hvf.c     |  8 ++++++++
 target/i386/hvf/x86hvf.h     |  1 +
 3 files changed, 18 insertions(+), 2 deletions(-)

Comments

Cameron Esfahani Feb. 8, 2022, 9:24 p.m. UTC | #1 
Ping

Cameron


> On Oct 29, 2021, at 5:02 PM, Cameron Esfahani <dirty@apple.com> wrote:
> 
> A guest could craft a specific stream of instructions that will have QEMU
> write 0xF9 to inappropriate locations in memory.  Add additional asserts
> to check for this.  Generate a #UD if there are more than 14 prefix bytes.
> 
> Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>
> 
> Signed-off-by: Cameron Esfahani <dirty@apple.com>
> ---
> target/i386/hvf/x86_decode.c | 11 +++++++++--
> target/i386/hvf/x86hvf.c     |  8 ++++++++
> target/i386/hvf/x86hvf.h     |  1 +
> 3 files changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/target/i386/hvf/x86_decode.c b/target/i386/hvf/x86_decode.c
> index 062713b1a4..fbaf1813e8 100644
> --- a/target/i386/hvf/x86_decode.c
> +++ b/target/i386/hvf/x86_decode.c
> @@ -24,6 +24,7 @@
> #include "vmx.h"
> #include "x86_mmu.h"
> #include "x86_descr.h"
> +#include "x86hvf.h"
> 
> #define OPCODE_ESCAPE   0xf
> 
> @@ -541,7 +542,8 @@ static void decode_lidtgroup(CPUX86State *env, struct x86_decode *decode)
>     };
>     decode->cmd = group[decode->modrm.reg];
>     if (0xf9 == decode->modrm.modrm) {
> -        decode->opcode[decode->len++] = decode->modrm.modrm;
> +        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
> +        decode->opcode[decode->opcode_len++] = decode->modrm.modrm;
>         decode->cmd = X86_DECODE_CMD_RDTSCP;
>     }
> }
> @@ -1847,7 +1849,8 @@ void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode,
> 
> static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
> {
> -    while (1) {
> +    /* At most 14 prefix bytes. */
> +    for (int i = 0; i < 14; i++) {
>         /*
>          * REX prefix must come after legacy prefixes.
>          * REX before legacy is ignored.
> @@ -1892,6 +1895,8 @@ static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
>             return;
>         }
>     }
> +    /* Too many prefixes!  Generate #UD. */
> +    hvf_inject_ud(env);
> }
> 
> void set_addressing_size(CPUX86State *env, struct x86_decode *decode)
> @@ -2090,11 +2095,13 @@ static void decode_opcodes(CPUX86State *env, struct x86_decode *decode)
>     uint8_t opcode;
> 
>     opcode = decode_byte(env, decode);
> +    VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
>     decode->opcode[decode->opcode_len++] = opcode;
>     if (opcode != OPCODE_ESCAPE) {
>         decode_opcode_1(env, decode, opcode);
>     } else {
>         opcode = decode_byte(env, decode);
> +        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
>         decode->opcode[decode->opcode_len++] = opcode;
>         decode_opcode_2(env, decode, opcode);
>     }
> diff --git a/target/i386/hvf/x86hvf.c b/target/i386/hvf/x86hvf.c
> index 05ec1bddc4..a805c125d9 100644
> --- a/target/i386/hvf/x86hvf.c
> +++ b/target/i386/hvf/x86hvf.c
> @@ -425,6 +425,14 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
>             & (CPU_INTERRUPT_INIT | CPU_INTERRUPT_TPR));
> }
> 
> +void hvf_inject_ud(CPUX86State *env)
> +{
> +    env->exception_nr = EXCP06_ILLOP;
> +    env->exception_injected = 1;
> +    env->has_error_code = false;
> +    env->error_code = 0;
> +}
> +
> int hvf_process_events(CPUState *cpu_state)
> {
>     X86CPU *cpu = X86_CPU(cpu_state);
> diff --git a/target/i386/hvf/x86hvf.h b/target/i386/hvf/x86hvf.h
> index 99ed8d608d..ef472a32f9 100644
> --- a/target/i386/hvf/x86hvf.h
> +++ b/target/i386/hvf/x86hvf.h
> @@ -22,6 +22,7 @@
> 
> int hvf_process_events(CPUState *);
> bool hvf_inject_interrupts(CPUState *);
> +void hvf_inject_ud(CPUX86State *);
> void hvf_set_segment(struct CPUState *cpu, struct vmx_segment *vmx_seg,
>                      SegmentCache *qseg, bool is_tr);
> void hvf_get_segment(SegmentCache *qseg, struct vmx_segment *vmx_seg);
> -- 
> 2.30.1 (Apple Git-130)
> 
>
diff mbox series

Patch

diff --git a/target/i386/hvf/x86_decode.c b/target/i386/hvf/x86_decode.c
index 062713b1a4..fbaf1813e8 100644
--- a/target/i386/hvf/x86_decode.c
+++ b/target/i386/hvf/x86_decode.c
@@ -24,6 +24,7 @@ 
 #include "vmx.h"
 #include "x86_mmu.h"
 #include "x86_descr.h"
+#include "x86hvf.h"
 
 #define OPCODE_ESCAPE   0xf
 
@@ -541,7 +542,8 @@  static void decode_lidtgroup(CPUX86State *env, struct x86_decode *decode)
     };
     decode->cmd = group[decode->modrm.reg];
     if (0xf9 == decode->modrm.modrm) {
-        decode->opcode[decode->len++] = decode->modrm.modrm;
+        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
+        decode->opcode[decode->opcode_len++] = decode->modrm.modrm;
         decode->cmd = X86_DECODE_CMD_RDTSCP;
     }
 }
@@ -1847,7 +1849,8 @@  void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode,
 
 static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
 {
-    while (1) {
+    /* At most 14 prefix bytes. */
+    for (int i = 0; i < 14; i++) {
         /*
          * REX prefix must come after legacy prefixes.
          * REX before legacy is ignored.
@@ -1892,6 +1895,8 @@  static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
             return;
         }
     }
+    /* Too many prefixes!  Generate #UD. */
+    hvf_inject_ud(env);
 }
 
 void set_addressing_size(CPUX86State *env, struct x86_decode *decode)
@@ -2090,11 +2095,13 @@  static void decode_opcodes(CPUX86State *env, struct x86_decode *decode)
     uint8_t opcode;
 
     opcode = decode_byte(env, decode);
+    VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
     decode->opcode[decode->opcode_len++] = opcode;
     if (opcode != OPCODE_ESCAPE) {
         decode_opcode_1(env, decode, opcode);
     } else {
         opcode = decode_byte(env, decode);
+        VM_PANIC_ON(decode->opcode_len >= sizeof(decode->opcode));
         decode->opcode[decode->opcode_len++] = opcode;
         decode_opcode_2(env, decode, opcode);
     }
diff --git a/target/i386/hvf/x86hvf.c b/target/i386/hvf/x86hvf.c
index 05ec1bddc4..a805c125d9 100644
--- a/target/i386/hvf/x86hvf.c
+++ b/target/i386/hvf/x86hvf.c
@@ -425,6 +425,14 @@  bool hvf_inject_interrupts(CPUState *cpu_state)
             & (CPU_INTERRUPT_INIT | CPU_INTERRUPT_TPR));
 }
 
+void hvf_inject_ud(CPUX86State *env)
+{
+    env->exception_nr = EXCP06_ILLOP;
+    env->exception_injected = 1;
+    env->has_error_code = false;
+    env->error_code = 0;
+}
+
 int hvf_process_events(CPUState *cpu_state)
 {
     X86CPU *cpu = X86_CPU(cpu_state);
diff --git a/target/i386/hvf/x86hvf.h b/target/i386/hvf/x86hvf.h
index 99ed8d608d..ef472a32f9 100644
--- a/target/i386/hvf/x86hvf.h
+++ b/target/i386/hvf/x86hvf.h
@@ -22,6 +22,7 @@ 
 
 int hvf_process_events(CPUState *);
 bool hvf_inject_interrupts(CPUState *);
+void hvf_inject_ud(CPUX86State *);
 void hvf_set_segment(struct CPUState *cpu, struct vmx_segment *vmx_seg,
                      SegmentCache *qseg, bool is_tr);
 void hvf_get_segment(SegmentCache *qseg, struct vmx_segment *vmx_seg);