unicorn icon indicating copy to clipboard operation
unicorn copied to clipboard
verified publisher icon unicorn-engine

Fix: Potential Vulnerability in Cloned Function

Open tabudz opened this issue 10 months ago • 5 comments

Description This PR fixes a security vulnerability in address_space_translate_for_iotlb() that was cloned from qemu but did not receive the security patch. The original issue was reported and fixed under https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c. This PR applies the same patch to eliminate the vulnerability.

References https://nvd.nist.gov/vuln/detail/CVE-2022-35414 https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c

tabudz avatar Feb 20 '25 15:02 tabudz

The backport is failing CI. Could you adapt it?

wtdcode avatar Feb 20 '25 15:02 wtdcode

What do you think went wrong here? I applied the same fix as in the original commit.

tabudz avatar Feb 20 '25 15:02 tabudz

TARGET_PAGE_MASK is not constant in Unicorn and you need to adapt it accordingly.

wtdcode avatar Feb 21 '25 02:02 wtdcode

But TARGET_PAGE_MASK appears multiple times in the same file, doesn't it?

tabudz avatar Feb 21 '25 13:02 tabudz

Yes but TARGET_PAGE_MASK is defined to "uc->init_target_page->mask" and in this function uc is not defined. So to fix it you need struct uc_struct *uc = cpu->uc;. Have you even tried to compile this before you opened the PR?

PhilippTakacs avatar Feb 21 '25 13:02 PhilippTakacs