[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 029/156] vmxnet3: validate queues configuration com
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 029/156] vmxnet3: validate queues configuration coming from guest |
|
Date: |
Tue, 8 Jul 2014 12:17:00 -0500 |
From: Dmitry Fleytman <address@hidden>
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 9878d173f574df74bde0ff50b2f81009fbee81bb)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/vmxnet3.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 7c709ca..0dd8c7a 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1336,6 +1336,23 @@ static void vmxnet3_validate_interrupts(VMXNET3State *s)
}
}
+static void vmxnet3_validate_queues(VMXNET3State *s)
+{
+ /*
+ * txq_num and rxq_num are total number of queues
+ * configured by guest. These numbers must not
+ * exceed corresponding maximal values.
+ */
+
+ if (s->txq_num > VMXNET3_DEVICE_MAX_TX_QUEUES) {
+ hw_error("Bad TX queues number: %d\n", s->txq_num);
+ }
+
+ if (s->rxq_num > VMXNET3_DEVICE_MAX_RX_QUEUES) {
+ hw_error("Bad RX queues number: %d\n", s->rxq_num);
+ }
+}
+
static void vmxnet3_activate_device(VMXNET3State *s)
{
int i;
@@ -1382,7 +1399,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
VMXNET3_READ_DRV_SHARED8(s->drv_shmem, devRead.misc.numRxQueues);
VMW_CFPRN("Number of TX/RX queues %u/%u", s->txq_num, s->rxq_num);
- assert(s->txq_num <= VMXNET3_DEVICE_MAX_TX_QUEUES);
+ vmxnet3_validate_queues(s);
qdescr_table_pa =
VMXNET3_READ_DRV_SHARED64(s->drv_shmem, devRead.misc.queueDescPA);
--
1.9.1
- [Qemu-stable] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call, (continued)
- [Qemu-stable] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 021/156] arm: translate.c: Fix smlald Instruction, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 020/156] megasas: Implement LD_LIST_QUERY, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 018/156] block-commit: speed is an optional parameter, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 013/156] mirror: fix early wake from sleep due to aio, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 022/156] block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file., Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 025/156] s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 024/156] s390x/helper: Added format control bit to MMU translation, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 003/156] block/iscsi: fix deadlock on scsi check condition, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 023/156] block: Use BDRV_O_NO_BACKING where appropriate, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 029/156] vmxnet3: validate queues configuration coming from guest,
Michael Roth <=
- [Qemu-stable] [PATCH 027/156] acpi: fix tables for no-hpet configuration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 006/156] target-i386: Fix ucomis and comis memory access, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 030/156] vmxnet3: validate interrupt indices read on migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 031/156] vmxnet3: validate queues configuration read on migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 028/156] vmxnet3: validate interrupt indices coming from guest, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 039/156] ahci: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 033/156] vmstate: add VMS_MUST_EXIST, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 035/156] virtio-net: fix buffer overflow on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 032/156] vmstate: reduce code duplication, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 037/156] virtio-net: out-of-bounds buffer write on load, Michael Roth, 2014/07/08