Buffer Overflow Vulnerabilities in ACRN hypervisor & Device Model #1252

yonghuah · 2018-09-17T02:01:34Z

During code analysis, a buffer overflow condition was detected that could reach out of bounds for the index of the array object in
the function. Many such instances were found to be present in the source code for the ACRN kernel and the hypervisor.

In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: projectacrn#1252 Acked-by: Eddie Dong <eddie.dong@intel.com>

mwang106 · 2018-09-17T02:44:16Z

[External_System_ID] ACRN-2145

In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: projectacrn#1252 Acked-by: Eddie Dong <eddie.dong@intel.com>

In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: #1252 Acked-by: Eddie Dong <eddie.dong@intel.com>

- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-ON: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

"hw.create_vcpus++" should be after resource is enough to create one more vcpu. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

"hw.create_vcpus++" should be under the condition that resource is enough to create one more vcpu. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

Will attempt to access element 2048..2049 of array "ptr32" if below conditions are both true: 1) ptr32[i] == MULTIBOOT_HEAD_MAGIC 2) (i == (ELF_BUF_LEN/4) - 1) Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Fengwei Yin <fengwei.yin@intel.com>

Will attempt to access element 2048..2049 of array "ptr32" if below conditions are both true: 1) ptr32[i] == MULTIBOOT_HEAD_MAGIC 2) (i == (ELF_BUF_LEN/4) - 1) Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Fengwei Yin <fengwei.yin@intel.com>

- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

- 'buffer'with size of 'buffer_cnt', will overflow in next loop if 'index == buffer_cnt - 1'. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

- 'buffer'with size of 'buffer_cnt', will overflow in next loop if 'index == buffer_cnt - 1'. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

Array index of "vbdp_devs" may be out of bounds if "i >= XHCI_MAX_VIRT_PORTS", so index checking is necessary. Tracked-On: #1252 Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com> Acked-by: Yu Wang <yu1.wang@intel.com>

mwang106 · 2019-01-11T06:42:34Z

No regression issue

'vector' should be no greater than 0xff,else 'eoi_exit_bitmap[]' will overflow. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

'vector' should be no greater than 0xff,else 'eoi_exit_bitmap[]' will overflow. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

Possible buffer overflow will happen in vlapic_set_tmr() and vlapic_update_ppr(),this path is to fix them. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

Possible buffer overflow will happen in vlapic_set_tmr() and vlapic_update_ppr(),this path is to fix them. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>

binbinwu1 mentioned this issue Sep 17, 2018

hv: vtd: fix potential buffer overflow in suspend/resume #1253

Merged

mwang106 added type: feature New feature priority: medium status: new The issue status: new for creation labels Sep 17, 2018

yonghuah mentioned this issue Sep 18, 2018

HV:fix potential buffer overflow issues #1276

Merged

hwang37 added this to v0.8 in Roadmap Oct 10, 2018

yonghuah mentioned this issue Oct 23, 2018

hv: fix problemtic logic in create_vcpu() #1560

Closed

yonghuah mentioned this issue Oct 26, 2018

dm: fix possible buffer overflow in 'acrn_load_elf()' #1613

Merged

hwang37 added this to the v0.8 milestone Nov 16, 2018

yonghuah mentioned this issue Dec 13, 2018

hv: fix possible buffer overflow issues #2061

Merged

yonghuah mentioned this issue Dec 18, 2018

hv:fix possible buffer overflow in 'ptirq_get_intr_data()' #2093

Merged

tianhuas mentioned this issue Dec 21, 2018

Apl sdc stable #2150

Merged

This was referenced Jan 3, 2019

DM: xHCI: array bound checking before it is used #2232

Closed

DM: xHCI: array bound checking before it is used #2233

Merged

array bound checking before it is used #2234

Merged

mwang106 closed this as completed Jan 11, 2019

mwang106 added status: closed The issue been closed and removed status: new The issue status: new for creation labels Jan 11, 2019

yonghuah mentioned this issue Jan 25, 2019

hv: fix possible buffer overflow in 'vcpu_set_eoi_exit()' #2418

Merged

yonghuah mentioned this issue Apr 23, 2019

hv: fix possible buffer overflow in vlapic.c #2996

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Buffer Overflow Vulnerabilities in ACRN hypervisor & Device Model #1252

Buffer Overflow Vulnerabilities in ACRN hypervisor & Device Model #1252

yonghuah commented Sep 17, 2018

mwang106 commented Sep 17, 2018 •

edited by Mingyuan18

mwang106 commented Jan 11, 2019

Buffer Overflow Vulnerabilities in ACRN hypervisor & Device Model #1252

Buffer Overflow Vulnerabilities in ACRN hypervisor & Device Model #1252

Comments

yonghuah commented Sep 17, 2018

mwang106 commented Sep 17, 2018 • edited by Mingyuan18

mwang106 commented Jan 11, 2019

mwang106 commented Sep 17, 2018 •

edited by Mingyuan18