|
 |
958e1b |
From 790375122726ecafec569bb31bbc68df7400f3b9 Mon Sep 17 00:00:00 2001
|
|
|
eb5a2f |
From: Michael S. Tsirkin <mst@redhat.com>
|
|
|
958e1b |
Date: Wed, 14 May 2014 08:32:06 +0200
|
|
|
958e1b |
Subject: [PATCH 13/31] virtio: avoid buffer overrun on incoming migration
|
|
|
eb5a2f |
|
|
|
eb5a2f |
RH-Author: Michael S. Tsirkin <mst@redhat.com>
|
|
|
958e1b |
Message-id: <1400056285-6688-10-git-send-email-mst@redhat.com>
|
|
|
958e1b |
Patchwork-id: 58859
|
|
|
958e1b |
O-Subject: [PATCH qemu-kvm RHEL7.1] virtio: avoid buffer overrun on incoming migration
|
|
|
958e1b |
Bugzilla: 1095738
|
|
|
eb5a2f |
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
|
|
|
eb5a2f |
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
|
|
|
eb5a2f |
RH-Acked-by: Amos Kong <akong@redhat.com>
|
|
|
eb5a2f |
|
|
|
eb5a2f |
CVE-2013-6399
|
|
|
eb5a2f |
|
|
|
eb5a2f |
vdev->queue_sel is read from the wire, and later used in the
|
|
|
eb5a2f |
emulation code as an index into vdev->vq[]. If the value of
|
|
|
eb5a2f |
vdev->queue_sel exceeds the length of vdev->vq[], currently
|
|
|
eb5a2f |
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
|
|
|
eb5a2f |
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
|
|
|
eb5a2f |
the buffer with arbitrary data originating from the source.
|
|
|
eb5a2f |
|
|
|
eb5a2f |
Fix this by failing migration if the value from the wire exceeds
|
|
|
eb5a2f |
VIRTIO_PCI_QUEUE_MAX.
|
|
|
eb5a2f |
|
|
|
eb5a2f |
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
|
eb5a2f |
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
eb5a2f |
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
|
eb5a2f |
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
|
eb5a2f |
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
|
|
|
eb5a2f |
|
|
|
eb5a2f |
Tested: lightly on developer's box
|
|
|
958e1b |
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7452039
|
|
|
958e1b |
Bugzilla:1095738
|
|
|
eb5a2f |
---
|
|
|
eb5a2f |
hw/virtio/virtio.c | 3 +++
|
|
|
eb5a2f |
1 file changed, 3 insertions(+)
|
|
|
eb5a2f |
|
|
|
eb5a2f |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
eb5a2f |
---
|
|
|
eb5a2f |
hw/virtio/virtio.c | 3 +++
|
|
|
eb5a2f |
1 files changed, 3 insertions(+), 0 deletions(-)
|
|
|
eb5a2f |
|
|
|
eb5a2f |
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
|
|
eb5a2f |
index 070d64e..9600a12 100644
|
|
|
eb5a2f |
--- a/hw/virtio/virtio.c
|
|
|
eb5a2f |
+++ b/hw/virtio/virtio.c
|
|
|
eb5a2f |
@@ -867,6 +867,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
|
|
|
eb5a2f |
qemu_get_8s(f, &vdev->status);
|
|
|
eb5a2f |
qemu_get_8s(f, &vdev->isr);
|
|
|
eb5a2f |
qemu_get_be16s(f, &vdev->queue_sel);
|
|
|
eb5a2f |
+ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
|
|
|
eb5a2f |
+ return -1;
|
|
|
eb5a2f |
+ }
|
|
|
eb5a2f |
qemu_get_be32s(f, &features);
|
|
|
eb5a2f |
|
|
|
eb5a2f |
if (virtio_set_features(vdev, features) < 0) {
|
|
|
eb5a2f |
--
|
|
|
eb5a2f |
1.7.1
|
|
|
eb5a2f |
|