peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 0023-virtio-net-out-of-bounds-buffer-write-on-load.patch

70114f
From 1a29e58f9f23846d0e105a3157629786fc624f65 Mon Sep 17 00:00:00 2001
70114f
From: "Michael S. Tsirkin" <mst@redhat.com>
70114f
Date: Mon, 28 Apr 2014 16:08:21 +0300
70114f
Subject: [PATCH] virtio-net: out-of-bounds buffer write on load
70114f
70114f
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
70114f
virtio_net_load()@hw/net/virtio-net.c
70114f
70114f
>         } else if (n->mac_table.in_use) {
70114f
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);
70114f
70114f
We are allocating buffer of size n->mac_table.in_use
70114f
70114f
>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
70114f
70114f
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
70114f
ETH_ALEN bytes, corrupting memory.
70114f
70114f
If adversary controls state then memory written there is controlled
70114f
by adversary.
70114f
70114f
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
70114f
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
70114f
Signed-off-by: Juan Quintela <quintela@redhat.com>
70114f
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
70114f
---
70114f
 hw/net/virtio-net.c | 15 +++++++++++----
70114f
 1 file changed, 11 insertions(+), 4 deletions(-)
70114f
70114f
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
70114f
index 0a8cb40..940a7cf 100644
70114f
--- a/hw/net/virtio-net.c
70114f
+++ b/hw/net/virtio-net.c
70114f
@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
70114f
         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
70114f
             qemu_get_buffer(f, n->mac_table.macs,
70114f
                             n->mac_table.in_use * ETH_ALEN);
70114f
-        } else if (n->mac_table.in_use) {
70114f
-            uint8_t *buf = g_malloc0(n->mac_table.in_use);
70114f
-            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
70114f
-            g_free(buf);
70114f
+        } else {
70114f
+            int64_t i;
70114f
+
70114f
+            /* Overflow detected - can happen if source has a larger MAC table.
70114f
+             * We simply set overflow flag so there's no need to maintain the
70114f
+             * table of addresses, discard them all.
70114f
+             * Note: 64 bit math to avoid integer overflow.
70114f
+             */
70114f
+            for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
70114f
+                qemu_get_byte(f);
70114f
+            }
70114f
             n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
70114f
             n->mac_table.in_use = 0;
70114f
         }