dcavalca / rpms / qemu

Forked from rpms/qemu a year ago
Clone

Blame 0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch

70114f
From 9b5cc034e1ed5b2ebc133029d4f865f186c6b895 Mon Sep 17 00:00:00 2001
70114f
From: Michael Roth <mdroth@linux.vnet.ibm.com>
70114f
Date: Thu, 3 Apr 2014 19:51:46 +0300
70114f
Subject: [PATCH] virtio: avoid buffer overrun on incoming migration
70114f
70114f
CVE-2013-6399
70114f
70114f
vdev->queue_sel is read from the wire, and later used in the
70114f
emulation code as an index into vdev->vq[]. If the value of
70114f
vdev->queue_sel exceeds the length of vdev->vq[], currently
70114f
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
70114f
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
70114f
the buffer with arbitrary data originating from the source.
70114f
70114f
Fix this by failing migration if the value from the wire exceeds
70114f
VIRTIO_PCI_QUEUE_MAX.
70114f
70114f
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
70114f
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
70114f
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
70114f
Signed-off-by: Juan Quintela <quintela@redhat.com>
70114f
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
70114f
---
70114f
 hw/virtio/virtio.c | 3 +++
70114f
 1 file changed, 3 insertions(+)
70114f
70114f
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
70114f
index 05f05e7..0072542 100644
70114f
--- a/hw/virtio/virtio.c
70114f
+++ b/hw/virtio/virtio.c
70114f
@@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
70114f
     qemu_get_8s(f, &vdev->status);
70114f
     qemu_get_8s(f, &vdev->isr);
70114f
     qemu_get_be16s(f, &vdev->queue_sel);
70114f
+    if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
70114f
+        return -1;
70114f
+    }
70114f
     qemu_get_be32s(f, &features);
70114f
 
70114f
     if (virtio_set_features(vdev, features) < 0) {