ioemu: Fix PVFB backend to validate frontend's frame buffer description
A buggy or malicious frontend can describe its shared framebuffer to
the backend in a way that makes the backend map an arbitrary amount of
guest memory, malloc an arbitrarily large internal buffer, copy
arbitrary memory to that buffer, even beyond its end. A domU running
a malicious frontend can abuse the former two for denial of service
attacks against dom0. It can abuse the third to write arbitrary
backend memory. It can abuse all three to terminate or crash the
backend. Arbitrary code execution looks quite feasible.
In more detail (ignoring #ifdef CONFIG_STUBDOM code):
The frame buffer is described by the following parameters:
* fb_len (size of shared framebuffer)
* width, height, depth
* row_stride, offset
fb_len is fixed on startup. The frontend can modify the other
parameters by sending a XENFB_TYPE_RESIZE event.
xenfb_read_frontend_fb_config() limits fb_len according to backend
configuration parameter videoram (from xenstore), if present. I
believe videoram is not present by default.
xenfb_map_fb() uses fb_len to map the frontend's framebuffer.
The frontend can make it map arbitrarily much, unless limited by the
videoram configuration parameter. This flaw always existed.
xenfb_register_console() and xenfb_on_fb_event() pass width, height,
depth and rowstride to QEMU's DisplayState object. The object sets
itself up to work directly on the framebuffer (shared_buf true) if
parameters allow that. Else it allocates an internal buffer of size
height * width * depth / 8 (shared_buf false).
The frontend can make it allocate arbitrarily much. This flaw always
existed.
xenfb_register_console() and xenfb_on_fb_event() pass width, height,
depth and rowstride to QEMU's DisplayState object. The object sets
itself up to work directly on the framebuffer (shared_buf true) if
parameters allow that. Else it allocates an internal buffer of size
height * width * depth / 8 (shared_buf false).
The frontend can make it allocate arbitrarily much. This flaw was
introduced by the move of PVFB into QEMU (xen-unstable cset 16220
ff).
xenfb_on_fb_event() uses width and height to clip the area of an
update event. It then passes that area to xenfb_guest_copy().
xenfb_invalidate() passes the complete screen area to
xenfb_guest_copy(). xenfb_guest_copy() copies the argument area (x,
y, w, h) into the internal buffer, unless shared_buf is true. This
copies h blocks of memory. The i-th copy (counting from zero) copies
w * depth / 8 bytes
from
shared framebuffer + offset + (y + i) * row_stride + x * depth / 8
to
internal buffer + (y + i) * ds->linesize + x * ds->depth / 8
where ds->linesize and ds->depth are parameters of the internal buffer
chosen by the backend.
This copy can be made to read from the shared framebuffer and write to
the internal buffer out of bounds. I believe the frontend can abuse
this to write arbitrary backend memory.
The flaw in its current form was introduced by the move of PVFB into
QEMU (xen-unstable cset 16220 ff). Before, the framebuffer was always
shared.
From: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
projects / xen.git / commit