Re: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode

From:	Philippe Mathieu-Daudé
Subject:	Re: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode
Date:	Mon, 14 Feb 2022 13:49:03 +0100
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.1

Hi Cameron,

On 11/2/22 17:34, Philippe Mathieu-Daudé wrote:

From: Cameron Esfahani <dirty@apple.com>

A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory.  Add additional asserts
to check for this.  Generate a #UD if there are more than 14 prefix bytes.

Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>

Signed-off-by: Cameron Esfahani <dirty@apple.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
  target/i386/hvf/x86_decode.c | 11 +++++++++--
  target/i386/hvf/x86hvf.c     |  8 ++++++++
  target/i386/hvf/x86hvf.h     |  1 +
  3 files changed, 18 insertions(+), 2 deletions(-)

@@ -1847,7 +1849,8 @@ void calc_modrm_operand(CPUX86State *env, struct 
x86_decode *decode,

static void decode_prefix(CPUX86State *env, struct x86_decode *decode)

  {
-    while (1) {
+    /* At most 14 prefix bytes. */
+    for (int i = 0; i < 14; i++) {


Could we have a definition instead of this magic '14' number?

          /*
           * REX prefix must come after legacy prefixes.
           * REX before legacy is ignored.
@@ -1892,6 +1895,8 @@ static void decode_prefix(CPUX86State *env, struct 
x86_decode *decode)
              return;
          }
      }
+    /* Too many prefixes!  Generate #UD. */
+    hvf_inject_ud(env);
  }

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v4 00/13] host: Support macOS 12, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 01/13] lcitool: refresh, Philippe Mathieu-Daudé, 2022/02/11
  - Re: [PATCH v4 01/13] lcitool: refresh, Akihiko Odaki, 2022/02/12
    - Re: [PATCH v4 01/13] lcitool: refresh, Philippe Mathieu-Daudé, 2022/02/14
- [PATCH v4 02/13] configure: Allow passing extra Objective C compiler flags, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 03/13] tests/fp/berkeley-testfloat-3: Ignore ignored #pragma directives, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode, Philippe Mathieu-Daudé, 2022/02/11
  - Re: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode, Philippe Mathieu-Daudé <=
- [PATCH v4 04/13] hvf: Use standard CR0 and CR4 register definitions, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 06/13] hvf: Enable RDTSCP support, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 07/13] hvf: Make hvf_get_segments() / hvf_put_segments() local, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 09/13] block/file-posix: Remove a deprecation warning on macOS 12, Philippe Mathieu-Daudé, 2022/02/11
  - Re: [PATCH v4 09/13] block/file-posix: Remove a deprecation warning on macOS 12, Christian Schoenebeck, 2022/02/12
  - Re: [PATCH v4 09/13] block/file-posix: Remove a deprecation warning on macOS 12, Cameron Esfahani, 2022/02/13
- [PATCH v4 08/13] hvf: Remove deprecated hv_vcpu_flush() calls, Philippe Mathieu-Daudé, 2022/02/11
- [PATCH v4 10/13] audio/coreaudio: Remove a deprecation warning on macOS 12, Philippe Mathieu-Daudé, 2022/02/11
  - Re: [PATCH v4 10/13] audio/coreaudio: Remove a deprecation warning on macOS 12, Christian Schoenebeck, 2022/02/12
  - Re: [PATCH v4 10/13] audio/coreaudio: Remove a deprecation warning on macOS 12, Akihiko Odaki, 2022/02/12

Prev by Date: [PATCH v3 0/4] virtio-iommu: Support VIRTIO_IOMMU_F_BYPASS_CONFIG
Next by Date: Re: [PATCH v2 2/3] hw/smbios: fix table memory corruption with large memory vms
Previous by thread: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode
Next by thread: [PATCH v4 04/13] hvf: Use standard CR0 and CR4 register definitions
Index(es):
- Date
- Thread