[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 036/156] virtio-net: out-of-bounds buffer write on i
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 036/156] virtio-net: out-of-bounds buffer write on invalid state load |
Date: |
Tue, 8 Jul 2014 12:17:07 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/virtio-net.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index ec96862..e00d1c0 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1387,6 +1387,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque,
int version_id)
}
n->curr_queues = qemu_get_be16(f);
+ if (n->curr_queues > n->max_queues) {
+ error_report("virtio-net: curr_queues %x > max_queues %x",
+ n->curr_queues, n->max_queues);
+ return -1;
+ }
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
--
1.9.1
- [Qemu-devel] [PATCH 006/156] target-i386: Fix ucomis and comis memory access, (continued)
- [Qemu-devel] [PATCH 006/156] target-i386: Fix ucomis and comis memory access, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 030/156] vmxnet3: validate interrupt indices read on migration, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 039/156] ahci: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 035/156] virtio-net: fix buffer overflow on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 034/156] vmstate: add VMSTATE_VALIDATE, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 037/156] virtio-net: out-of-bounds buffer write on load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 033/156] vmstate: add VMS_MUST_EXIST, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 032/156] vmstate: reduce code duplication, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 040/156] hpet: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 038/156] virtio: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 036/156] virtio-net: out-of-bounds buffer write on invalid state load,
Michael Roth <=
- [Qemu-devel] [PATCH 042/156] pl022: fix buffer overun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 046/156] openpic: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 045/156] virtio: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 056/156] savevm: Ignore minimum_version_id_old if there is no load_state_old, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 060/156] target-arm: Make vbar_write 64bit friendly on 32bit hosts, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 059/156] target-i386: fix set of registers zeroed on reset, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 061/156] linux-user/elfload.c: Fix incorrect ARM HWCAP bits, Michael Roth, 2014/07/08