thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone
Blob Blame History Raw
From 89ada787b7d4c950c8bf95932c8c420d90c31c3c Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:33:08 +0200
Subject: [PATCH 16/31] virtio: validate num_sg when mapping
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400056377-6802-1-git-send-email-mst@redhat.com>
Patchwork-id: 58862
O-Subject: [PATCH qemu-kvm RHEL7.1 1/2] virtio: validate num_sg when mapping
Bugzilla: 1095766
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7452039
Bugzilla:1095766
---
hw/virtio/virtio.c | 6 ++++++
1 file changed, 6 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/virtio/virtio.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 686dfbb..2667390 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -423,6 +423,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
unsigned int i;
hwaddr len;
+ if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+ error_report("virtio: map attempt out of bounds: %zd > %d",
+ num_sg, VIRTQUEUE_MAX_SIZE);
+ exit(1);
+ }
+
for (i = 0; i < num_sg; i++) {
len = sg[i].iov_len;
sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
--
1.7.1