From 9b5cc034e1ed5b2ebc133029d4f865f186c6b895 Mon Sep 17 00:00:00 2001 From: Michael Roth Date: Thu, 3 Apr 2014 19:51:46 +0300 Subject: [PATCH] virtio: avoid buffer overrun on incoming migration CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data originating from the source. Fix this by failing migration if the value from the wire exceeds VIRTIO_PCI_QUEUE_MAX. Signed-off-by: Michael Roth Signed-off-by: Michael S. Tsirkin Reviewed-by: Peter Maydell Signed-off-by: Juan Quintela (cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1) --- hw/virtio/virtio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 05f05e7..0072542 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { + return -1; + } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) {