From acb67d9c43f3921861eebbabb447a85644e99320 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Mon, 25 Jul 2016 12:55:36 +0200 Subject: [PATCH 2/2] virtio: error out if guest exceeds virtqueue size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Stefan Hajnoczi Message-id: <1469451336-20117-2-git-send-email-stefanha@redhat.com> Patchwork-id: 71428 O-Subject: [virt-devel] [RHEL-7.3 EMBARGOED qemu-kvm PATCH 1/1] virtio: error out if guest exceeds virtqueue size Bugzilla: 1359729 RH-Acked-by: Thomas Huth RH-Acked-by: Marc-André Lureau RH-Acked-by: Laszlo Ersek A broken or malicious guest can submit more requests than the virtqueue size permits. The guest can submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user. This patch fixes CVE-2016-5403. Signed-off-by: Stefan Hajnoczi Signed-off-by: Miroslav Rezanina --- hw/virtio/virtio.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 132b5af..a861870 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -452,6 +452,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) max = vq->vring.num; + if (vq->inuse >= max) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) { vring_avail_event(vq, vring_avail_idx(vq)); -- 1.8.3.1