mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3f481e3305
qemu/hw/display
History
Philippe Mathieu-Daudé 6d37a30815 hw/display/virtio-gpu: Protect from DMA re-entrancy bugs 
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed:

  $ cat << EOF | qemu-system-i386 -display none -nodefaults \
                                  -machine q35,accel=qtest \
                                  -m 512M \
                                  -device virtio-gpu \
                                  -qtest stdio
  outl 0xcf8 0x80000820
  outl 0xcfc 0xe0004000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0004030 0x4 0x024000e0
  write 0xe0004028 0x1 0xff
  write 0xe0004020 0x4 0x00009300
  write 0xe000401c 0x1 0x01
  write 0x101 0x1 0x04
  write 0x103 0x1 0x1c
  write 0x9301c8 0x1 0x18
  write 0x105 0x1 0x1c
  write 0x107 0x1 0x1c
  write 0x109 0x1 0x1c
  write 0x10b 0x1 0x00
  write 0x10d 0x1 0x00
  write 0x10f 0x1 0x00
  write 0x111 0x1 0x00
  write 0x113 0x1 0x00
  write 0x115 0x1 0x00
  write 0x117 0x1 0x00
  write 0x119 0x1 0x00
  write 0x11b 0x1 0x00
  write 0x11d 0x1 0x00
  write 0x11f 0x1 0x00
  write 0x121 0x1 0x00
  write 0x123 0x1 0x00
  write 0x125 0x1 0x00
  write 0x127 0x1 0x00
  write 0x129 0x1 0x00
  write 0x12b 0x1 0x00
  write 0x12d 0x1 0x00
  write 0x12f 0x1 0x00
  write 0x131 0x1 0x00
  write 0x133 0x1 0x00
  write 0x135 0x1 0x00
  write 0x137 0x1 0x00
  write 0x139 0x1 0x00
  write 0xe0007003 0x1 0x00
  EOF
  ...
  =================================================================
  ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178
  at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58
  READ of size 8 at 0x60d000011178 thread T0
      #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42
      #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5
      #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13
      #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9
      #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5
      #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
      #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5
      #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5
      #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8)
      #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9
      #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5
      #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11
      #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9
      #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14
      #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3
      #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0)

  0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8)
  freed by thread T0 here:
      #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662)
      #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9
      #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9
      #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5
      #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5
      #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18

  previously allocated by thread T0 here:
      #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e)
      #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678)
      #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12
      #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16
      #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15
      #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5
      #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
      #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5

  SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response

With this change, the same reproducer triggers:

  qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Reported-by: Xiao Lei <nop.leixiao@gmail.com>
Reported-by: Yiming Tao <taoym@zju.edu.cn>
Buglink: https://bugs.launchpad.net/qemu/+bug/1888606
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20240409105537.18308-3-philmd@linaro.org>
(cherry picked from commit ba28e0ff4d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fixup in hw/display/virtio-gpu.c:virtio_gpu_device_realize()
 due to missing v8.1.0-rc2-69-ga41e2d97f92b
 "virtio-gpu: reset gfx resources in main thread".
 Maybe it's worth to pick this too)
2024-04-10 19:25:48 +03:00
..
acpi-vga-stub.c acpi: pc: vga: use AcpiDevAmlIf interface to build VGA device descriptors 2022-11-07 14:00:29 -05:00
acpi-vga.c acpi: pc: vga: use AcpiDevAmlIf interface to build VGA device descriptors 2022-11-07 14:00:29 -05:00
artist.c artist: set memory region owners for buffers to the artist device 2022-06-26 18:40:28 +01:00
ati_2d.c ati-vga: Implement fallback for pixman routines 2023-11-07 20:23:38 +03:00
ati_dbg.c ati-vga: Add dummy MEM_SDRAM_MODE_REG 2020-06-30 22:54:24 +02:00
ati_int.h ati-vga: Implement fallback for pixman routines 2023-11-07 20:23:38 +03:00
ati_regs.h ati-vga: Add dummy MEM_SDRAM_MODE_REG 2020-06-30 22:54:24 +02:00
ati.c ati-vga: Implement fallback for pixman routines 2023-11-07 20:23:38 +03:00
bcm2835_fb.c hw/display/bcm2835_fb: Fix framebuffer allocation address 2022-07-26 14:09:44 +01:00
blizzard.c hw/display: fix tab indentation 2022-11-08 10:23:32 +01:00
bochs-display.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
cg3.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
cirrus_vga_internal.h hw/display/cirrus_vga: Move "isa-cirrus-vga" device into a separate file 2018-10-15 09:57:33 +02:00
cirrus_vga_isa.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
cirrus_vga_rop2.h cirrus: fix PUTPIXEL macro 2017-03-27 12:14:45 +02:00
cirrus_vga_rop.h cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 2017-03-17 10:23:44 +01:00
cirrus_vga.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
dpcd.c hw/display/dpcd: Convert debug printf()s to trace events 2020-05-28 11:38:57 +02:00
edid-generate.c edid: Fix clock of Detailed Timing Descriptor 2022-03-04 11:31:46 +01:00
edid-region.c Include exec/memory.h slightly less 2019-08-16 13:31:52 +02:00
exynos4210_fimd.c hw/display/exynos4210_fimd: Fix potential NULL pointer dereference 2020-11-02 16:52:17 +00:00
framebuffer.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
framebuffer.h framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
g364fb.c g364fb: add VMStateDescription for G364SysBusState 2021-07-02 17:35:08 +02:00
i2c-ddc.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
jazz_led.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
Kconfig hw/display: Rename VGA_ISA_MM -> VGA_MMIO 2022-01-13 10:58:54 +01:00
macfb.c macfb: set initial value of mode control registers in macfb_common_realize() 2022-03-09 09:29:10 +00:00
meson.build acpi: pc: vga: use AcpiDevAmlIf interface to build VGA device descriptors 2022-11-07 14:00:29 -05:00
next-fb.c hw/display/next-fb: Fix comment typo 2022-12-03 22:07:07 +01:00
omap_dss.c hw/display: fix tab indentation 2022-11-08 10:23:32 +01:00
omap_lcdc.c hw/display/omap_lcdc: Delete unnecessary macro 2021-03-06 13:30:38 +00:00
pl110_template.h Replace config-time define HOST_WORDS_BIGENDIAN 2022-04-06 10:50:37 +02:00
pl110.c hw/display/pl110: Remove use of BITS from pl110_template.h 2021-03-14 13:14:55 +00:00
pxa2xx_lcd.c hw/display: fix tab indentation 2022-11-08 10:23:32 +01:00
qxl-logger.c hw/display/qxl: Pass requested buffer size to qxl_phys2virt() 2022-11-29 18:15:26 -05:00
qxl-render.c hw/display/qxl: Pass requested buffer size to qxl_phys2virt() 2022-11-29 18:15:26 -05:00
qxl.c qxl: don't assert() if device isn't yet initialized 2023-09-11 10:53:51 +03:00
qxl.h hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) 2022-11-29 18:15:26 -05:00
ramfb-standalone.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
ramfb.c hw/display/ramfb: plug slight guest-triggerable leak on mode setting 2023-10-05 08:44:37 +03:00
sii9022.c hw/i2c: add asynchronous send 2022-06-30 09:21:14 +02:00
sm501.c hw/i2c: Rename i2c_set_slave_address() -> i2c_slave_set_address() 2021-07-08 14:15:01 -05:00
ssd0303.c hw/i2c: add asynchronous send 2022-06-30 09:21:14 +02:00
ssd0323.c hw/ssi: Rename SSI 'slave' as 'peripheral' 2020-12-10 12:15:03 -05:00
tc6393xb.c Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
tcx.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
trace-events hw/display/vmware_vga: do not discard screen updates 2022-04-22 11:47:08 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vga_int.h display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
vga_regs.h hw/display: fix tab indentation 2022-11-08 10:23:32 +01:00
vga-access.h vga: move access helpers to separate include file 2019-09-19 10:37:46 +02:00
vga-helpers.h vga: move access helpers to separate include file 2019-09-19 10:37:46 +02:00
vga-isa.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
vga-mmio.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
vga-pci.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
vga.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
vhost-user-gpu-pci.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
vhost-user-gpu.c vhost-user: Call qemu_socketpair() instead of socketpair() 2022-09-29 14:38:05 +04:00
vhost-user-vga.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
virtio-gpu-base.c virtio-gpu: Respect UI refresh rate for EDID 2022-06-14 10:34:37 +02:00
virtio-gpu-gl.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
virtio-gpu-pci-gl.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
virtio-gpu-pci.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
virtio-gpu-udmabuf-stubs.c virtio-gpu: splitting one extended mode guest fb into n-scanouts 2021-11-05 12:29:19 +01:00
virtio-gpu-udmabuf.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
virtio-gpu-virgl.c virtio-gpu: use VIRTIO_GPU_RESOURCE_FLAG_Y_0_TOP 2021-12-21 10:50:21 +04:00
virtio-gpu.c hw/display/virtio-gpu: Protect from DMA re-entrancy bugs 2024-04-10 19:25:48 +03:00
virtio-vga-gl.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
virtio-vga.c ui/console: Do not return a value with ui_info 2022-06-14 10:34:37 +02:00
virtio-vga.h qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
vmware_vga.c display: include dependencies explicitly 2022-11-10 10:17:18 -05:00
xenfb.c hw/display: fix tab indentation 2022-11-08 10:23:32 +01:00
xlnx_dp.c xlnx_dp: drop unsupported AUXCommand in xlnx_dp_aux_set_command 2022-08-08 11:40:06 +02:00