[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 007/108] virtio-net: out-of-bounds buffer write on
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 007/108] virtio-net: out-of-bounds buffer write on invalid state load |
|
Date: |
Wed, 6 Aug 2014 15:38:17 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/virtio-net.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 33bd233..0a8cb40 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque,
int version_id)
}
n->curr_queues = qemu_get_be16(f);
+ if (n->curr_queues > n->max_queues) {
+ error_report("virtio-net: curr_queues %x > max_queues %x",
+ n->curr_queues, n->max_queues);
+ return -1;
+ }
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
--
1.9.1
- [Qemu-stable] [000/108] Patch Round-up for stable 2.0.1, freeze on 2014-08-12, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 002/108] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 001/108] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 004/108] vmstate: add VMS_MUST_EXIST, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 003/108] vmstate: reduce code duplication, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 009/108] ahci: fix buffer overrun on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 006/108] virtio-net: fix buffer overflow on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 007/108] virtio-net: out-of-bounds buffer write on invalid state load,
Michael Roth <=
- [Qemu-stable] [PATCH 005/108] vmstate: add VMSTATE_VALIDATE, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 011/108] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 010/108] hpet: fix buffer overrun on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 008/108] virtio-net: out-of-bounds buffer write on load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 013/108] vmstate: fix buffer overflow in target-arm/machine.c, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 012/108] pl022: fix buffer overun on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 015/108] virtio: validate num_sg when mapping, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 017/108] pxa2xx: avoid buffer overrun on incoming migration, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 020/108] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 019/108] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/08/06