Bug 1867739 - -prom-env does not validate input
Summary: -prom-env does not validate input
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: qemu-kvm
Version: 8.3
Hardware: ppc64
OS: All
medium
medium
Target Milestone: rc
: 8.3
Assignee: Greg Kurz
QA Contact: Min Deng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-10 16:01 UTC by John Snow
Modified: 2022-04-27 05:55 UTC (History)
8 users (show)

Fixed In Version: qemu-kvm-5.1.0-5.module+el8.3.0+7975+b80d25f1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-17 17:50:26 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description John Snow 2020-08-10 16:01:36 UTC 
Description of problem:

`-prom-env` takes raw strings from the command-line and passes them through unvalidated into the NVRAM. It's possible to cause QEMU to abort by passing it malformed input.

```
ppc64-softmmu/qemu-system-ppc64 $(for ((x=0;x<128;x++)); do \
 echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \
done)
free(): invalid next size (normal)
Aborted (core dumped)
```

Version-Release number of selected component (if applicable):

Observed upstream as of 5.1-rc4.

Expected results: QEMU performs some light validation of either the user's input such that QEMU does not crash. (What the guest does is another story.)
Comment 1 David Gibson 2020-08-11 01:39:01 UTC 
Thomas doesn't really work on ppc64 any more, taking this one for the POWER team instead.
Comment 2 Greg Kurz 2020-08-11 10:45:26 UTC 
The crash happens in memcpy() because nvram->buf is allocated with
the default size of 64 * KiB but the total size of all the -prom-env
is 128 * KiB.

It seems that spapr_nvram_realize() should take the -prom-env options
into account when computing the size needed for the NVRAM.

I already have a tentative patch FWIW.
Comment 3 Greg Kurz 2020-08-11 15:39:42 UTC 
Posted some patches:

http://patchwork.ozlabs.org/project/qemu-devel/list/?series=195072
Comment 4 Min Deng 2020-08-13 08:03:34 UTC 
Reproduced similar issue on the following builds
qemu-kvm-5.1.0-2.module+el8.3.0+7652+b30e6901.ppc64le
/usr/libexec/qemu-kvm $(for ((x=0;x<128;x++)); do \
>  echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \
> done)
malloc(): corrupted top size
Aborted (core dumped)
Comment 5 Greg Kurz 2020-09-01 16:19:55 UTC 
Final fix merged upstream:

https://git.qemu.org/?p=qemu.git;a=commit;h=37035df51eaabb8d26b71da75b88a1c6727de8fa
Comment 10 Min Deng 2020-09-14 15:39:39 UTC 
Verified the bug on the following build
kernel-4.18.0-236.el8.ppc64le
qemu-kvm-5.1.0-6.module+el8.3.0+8041+42ff16b8.ppc64le
Step please refer to comment 4,
Actual results,
qemu-kvm worked well, no core dump issue.
Expected results,
no core dump issue any more.

So the issue has been fixed, move this bug to be verified, thanks.
Comment 13 errata-xmlrpc 2020-11-17 17:50:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5137
Note You need to log in before you can comment on or make changes to this bug.