[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed
|
From: |
Blue Swirl |
|
Subject: |
Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed |
|
Date: |
Sat, 1 Dec 2007 19:51:52 +0200 |
On 12/1/07, TeLeMan <address@hidden> wrote:
>
>
> Blue Swirl-2 wrote:
> >
> > On 11/28/07, TeLeMan <address@hidden> wrote:
> >>
> >> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes,
> >> code_gen_buffer
> >> can be overflowed. I hope this security bug will be fixed soon.
> >
> > Thank you for the analysis. It's true that cpu_gen_code does not pass
> > CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should
> > be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 -
> > 32) instructions more, so there is no security bug.
> >
> >
>
> This POC is a windows exe and was tested on QEMU v0.9.0 (Guest OS is Windows
> XP SP2).
> This overflow will overwrite the TranslationBlock buffer.
>
> http://www.nabble.com/file/p14101223/qemu-dos.rar qemu-dos.rar
I see my error, gen_intermediate_code produces ops, not host
instructions. For each op several host instructions are generated, for
Sparc32 maximum on my machine is 170 but for ARM this can be 840. In
the worst case, (512 - 32) * 840 = 403200 bytes are generated, thus a
buffer overflow is indeed possible.
I can see a few possible fixes for this.
The buffer size can be increased from 64k to 512k or the buffer can be
allocated dynamically after calculating the maximum instruction size.
OPC_BUF_SIZE can be decreased from 512 to 50.
All ops can be made smaller by introducing more helpers.
dyngen_code loop could check for buffer size.
- Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed,
Blue Swirl <=