yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch

eb5a2f
From d1ada486bbdecd785762a192eae716a3484d4f16 Mon Sep 17 00:00:00 2001
eb5a2f
From: Michael S. Tsirkin <mst@redhat.com>
eb5a2f
Date: Wed, 14 May 2014 08:07:52 +0200
eb5a2f
Subject: [PATCH 05/30] virtio: avoid buffer overrun on incoming migration
eb5a2f
eb5a2f
RH-Author: Michael S. Tsirkin <mst@redhat.com>
eb5a2f
Message-id: <1400054498-4366-10-git-send-email-mst@redhat.com>
eb5a2f
Patchwork-id: 58843
eb5a2f
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: avoid buffer overrun on incoming migration
eb5a2f
Bugzilla: 1095737
eb5a2f
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
eb5a2f
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
eb5a2f
RH-Acked-by: Amos Kong <akong@redhat.com>
eb5a2f
eb5a2f
CVE-2013-6399
eb5a2f
eb5a2f
vdev->queue_sel is read from the wire, and later used in the
eb5a2f
emulation code as an index into vdev->vq[]. If the value of
eb5a2f
vdev->queue_sel exceeds the length of vdev->vq[], currently
eb5a2f
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
eb5a2f
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
eb5a2f
the buffer with arbitrary data originating from the source.
eb5a2f
eb5a2f
Fix this by failing migration if the value from the wire exceeds
eb5a2f
VIRTIO_PCI_QUEUE_MAX.
eb5a2f
eb5a2f
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
eb5a2f
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
eb5a2f
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
eb5a2f
Signed-off-by: Juan Quintela <quintela@redhat.com>
eb5a2f
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
eb5a2f
eb5a2f
Tested: lightly on developer's box
eb5a2f
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
eb5a2f
Bugzilla:1095737
eb5a2f
---
eb5a2f
 hw/virtio/virtio.c | 3 +++
eb5a2f
 1 file changed, 3 insertions(+)
eb5a2f
eb5a2f
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
eb5a2f
---
eb5a2f
 hw/virtio/virtio.c |    3 +++
eb5a2f
 1 files changed, 3 insertions(+), 0 deletions(-)
eb5a2f
eb5a2f
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
eb5a2f
index 070d64e..9600a12 100644
eb5a2f
--- a/hw/virtio/virtio.c
eb5a2f
+++ b/hw/virtio/virtio.c
eb5a2f
@@ -867,6 +867,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
eb5a2f
     qemu_get_8s(f, &vdev->status);
eb5a2f
     qemu_get_8s(f, &vdev->isr);
eb5a2f
     qemu_get_be16s(f, &vdev->queue_sel);
eb5a2f
+    if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
eb5a2f
+        return -1;
eb5a2f
+    }
eb5a2f
     qemu_get_be32s(f, &features);
eb5a2f
 
eb5a2f
     if (virtio_set_features(vdev, features) < 0) {
eb5a2f
-- 
eb5a2f
1.7.1
eb5a2f