Bug 1867739

Summary: -prom-env does not validate input
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: John Snow <jsnow>
Component: qemu-kvmAssignee: Greg Kurz <gkurz>
qemu-kvm sub component: Devices QA Contact: Min Deng <mdeng>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: dgibson, gkurz, jinzhao, juzhang, lvivier, qzhang, virt-maint, yihyu
Version: 8.3Keywords: Triaged
Target Milestone: rc   
Target Release: 8.3   
Hardware: ppc64   
OS: All   
Whiteboard:
Fixed In Version: qemu-kvm-5.1.0-5.module+el8.3.0+7975+b80d25f1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-17 17:50:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Snow 2020-08-10 16:01:36 UTC 
Description of problem:

`-prom-env` takes raw strings from the command-line and passes them through unvalidated into the NVRAM. It's possible to cause QEMU to abort by passing it malformed input.

```
ppc64-softmmu/qemu-system-ppc64 $(for ((x=0;x<128;x++)); do \
 echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \
done)
free(): invalid next size (normal)
Aborted (core dumped)
```

Version-Release number of selected component (if applicable):

Observed upstream as of 5.1-rc4.

Expected results: QEMU performs some light validation of either the user's input such that QEMU does not crash. (What the guest does is another story.)
Comment 1 David Gibson 2020-08-11 01:39:01 UTC 
Thomas doesn't really work on ppc64 any more, taking this one for the POWER team instead.
Comment 2 Greg Kurz 2020-08-11 10:45:26 UTC 
The crash happens in memcpy() because nvram->buf is allocated with
the default size of 64 * KiB but the total size of all the -prom-env
is 128 * KiB.

It seems that spapr_nvram_realize() should take the -prom-env options
into account when computing the size needed for the NVRAM.

I already have a tentative patch FWIW.
Comment 3 Greg Kurz 2020-08-11 15:39:42 UTC 
Posted some patches:

http://patchwork.ozlabs.org/project/qemu-devel/list/?series=195072
Comment 4 Min Deng 2020-08-13 08:03:34 UTC 
Reproduced similar issue on the following builds
qemu-kvm-5.1.0-2.module+el8.3.0+7652+b30e6901.ppc64le
/usr/libexec/qemu-kvm $(for ((x=0;x<128;x++)); do \
>  echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \
> done)
malloc(): corrupted top size
Aborted (core dumped)
Comment 5 Greg Kurz 2020-09-01 16:19:55 UTC 
Final fix merged upstream:

https://git.qemu.org/?p=qemu.git;a=commit;h=37035df51eaabb8d26b71da75b88a1c6727de8fa
Comment 10 Min Deng 2020-09-14 15:39:39 UTC 
Verified the bug on the following build
kernel-4.18.0-236.el8.ppc64le
qemu-kvm-5.1.0-6.module+el8.3.0+8041+42ff16b8.ppc64le
Step please refer to comment 4,
Actual results,
qemu-kvm worked well, no core dump issue.
Expected results,
no core dump issue any more.

So the issue has been fixed, move this bug to be verified, thanks.
Comment 13 errata-xmlrpc 2020-11-17 17:50:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5137