New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer Overflow Vulnerabilities in ACRN hypervisor & Device Model #1252
Labels
Projects
Milestone
Comments
binbinwu1
added a commit
to binbinwu1/acrn-hypervisor
that referenced
this issue
Sep 17, 2018
In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: projectacrn#1252 Acked-by: Eddie Dong <eddie.dong@intel.com>
mwang106
added
type: feature
New feature
priority: medium
status: new
The issue status: new for creation
labels
Sep 17, 2018
[External_System_ID] ACRN-2145 |
binbinwu1
added a commit
to binbinwu1/acrn-hypervisor
that referenced
this issue
Sep 17, 2018
In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: projectacrn#1252 Acked-by: Eddie Dong <eddie.dong@intel.com>
binbinwu1
added a commit
to binbinwu1/acrn-hypervisor
that referenced
this issue
Sep 17, 2018
In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: projectacrn#1252 Acked-by: Eddie Dong <eddie.dong@intel.com>
binbinwu1
added a commit
to binbinwu1/acrn-hypervisor
that referenced
this issue
Sep 17, 2018
In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: projectacrn#1252 Acked-by: Eddie Dong <eddie.dong@intel.com>
lijinxia
pushed a commit
that referenced
this issue
Sep 18, 2018
In current code of suspend_iommu/resume_iommu, there is potential buffer overflow according to the code. This patch put the buffer to struct dmar_drhd_rt, so that no need to access the buffer via index. Signed-off-by: Binbin Wu <binbin.wu@intel.com> Tracked-On: #1252 Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Sep 18, 2018
- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-ON: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Sep 18, 2018
- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-ON: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Sep 18, 2018
- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
lijinxia
pushed a commit
that referenced
this issue
Sep 18, 2018
- use sizeof(struct lapic_regs),instead of arbitrary size to lear 'apic_page' memory region in vlapic.c - fix potential buffer overflow issues in vpic.c & ioapic.c Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Oct 23, 2018
"hw.create_vcpus++" should be after resource is enough to create one more vcpu. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Oct 23, 2018
"hw.create_vcpus++" should be under the condition that resource is enough to create one more vcpu. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Oct 26, 2018
Will attempt to access element 2048..2049 of array "ptr32" if below conditions are both true: 1) ptr32[i] == MULTIBOOT_HEAD_MAGIC 2) (i == (ELF_BUF_LEN/4) - 1) Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Fengwei Yin <fengwei.yin@intel.com>
NanlinXie
pushed a commit
that referenced
this issue
Oct 27, 2018
Will attempt to access element 2048..2049 of array "ptr32" if below conditions are both true: 1) ptr32[i] == MULTIBOOT_HEAD_MAGIC 2) (i == (ELF_BUF_LEN/4) - 1) Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Fengwei Yin <fengwei.yin@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 13, 2018
- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 14, 2018
- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 14, 2018
- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 14, 2018
- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 14, 2018
- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
wenlingz
pushed a commit
that referenced
this issue
Dec 14, 2018
- cpu_secondary_init() @cpu.c - ptirq_intx_pin_remap() @ assign.c etc. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 18, 2018
- 'buffer'with size of 'buffer_cnt', will overflow in next loop if 'index == buffer_cnt - 1'. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Dec 18, 2018
- 'buffer'with size of 'buffer_cnt', will overflow in next loop if 'index == buffer_cnt - 1'. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
wenlingz
pushed a commit
that referenced
this issue
Dec 18, 2018
- 'buffer'with size of 'buffer_cnt', will overflow in next loop if 'index == buffer_cnt - 1'. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
Merged
wenlingz
pushed a commit
that referenced
this issue
Dec 24, 2018
- 'buffer'with size of 'buffer_cnt', will overflow in next loop if 'index == buffer_cnt - 1'. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
This was referenced Jan 3, 2019
wenlingz
pushed a commit
that referenced
this issue
Jan 3, 2019
Array index of "vbdp_devs" may be out of bounds if "i >= XHCI_MAX_VIRT_PORTS", so index checking is necessary. Tracked-On: #1252 Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com> Acked-by: Yu Wang <yu1.wang@intel.com>
wenlingz
pushed a commit
that referenced
this issue
Jan 4, 2019
Array index of "vbdp_devs" may be out of bounds if "i >= XHCI_MAX_VIRT_PORTS", so index checking is necessary. Tracked-On: #1252 Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com> Acked-by: Yu Wang <yu1.wang@intel.com>
No regression issue |
mwang106
added
status: closed
The issue been closed
and removed
status: new
The issue status: new for creation
labels
Jan 11, 2019
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Jan 25, 2019
'vector' should be no greater than 0xff,else 'eoi_exit_bitmap[]' will overflow. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
wenlingz
pushed a commit
that referenced
this issue
Jan 25, 2019
'vector' should be no greater than 0xff,else 'eoi_exit_bitmap[]' will overflow. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
yonghuah
added a commit
to yonghuah/acrn-hypervisor
that referenced
this issue
Apr 23, 2019
Possible buffer overflow will happen in vlapic_set_tmr() and vlapic_update_ppr(),this path is to fix them. Tracked-On: projectacrn#1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
wenlingz
pushed a commit
that referenced
this issue
Apr 23, 2019
Possible buffer overflow will happen in vlapic_set_tmr() and vlapic_update_ppr(),this path is to fix them. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
wenlingz
pushed a commit
that referenced
this issue
Apr 23, 2019
Possible buffer overflow will happen in vlapic_set_tmr() and vlapic_update_ppr(),this path is to fix them. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
During code analysis, a buffer overflow condition was detected that could reach out of bounds for the index of the array object in
the function. Many such instances were found to be present in the source code for the ACRN kernel and the hypervisor.
The text was updated successfully, but these errors were encountered: