[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write on load |
|
Date: |
Thu, 3 Apr 2014 18:26:32 +0100 |
On 3 April 2014 17:50, Michael S. Tsirkin <address@hidden> wrote:
> CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
> virtio_net_load()@hw/net/virtio-net.c
>
>> } else if (n->mac_table.in_use) {
>> uint8_t *buf = g_malloc0(n->mac_table.in_use);
>
> We are allocating buffer of size n->mac_table.in_use
>
>> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
>
> and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
> ETH_ALEN bytes, corrupting memory.
>
> If adversary controls state then memory written there is controlled
> by adversary.
>
> Reviewed-by: Michael Roth <address@hidden>
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
> hw/net/virtio-net.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..c247529 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1362,10 +1362,16 @@ static int virtio_net_load(QEMUFile *f, void *opaque,
> int version_id)
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
> - } else if (n->mac_table.in_use) {
> - uint8_t *buf = g_malloc0(n->mac_table.in_use);
> - qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
> - g_free(buf);
> + } else {
> + int i;
> +
> + /* Overflow detected - can happen if source has a larger MAC
> table.
> + * We simply set overflow flag so there's no need to maintain the
> + * table of addresses, discard them all.
> + */
> + for (i = 0; i < n->mac_table.in_use * ETH_ALEN; ++i) {
> + qemu_get_byte(f);
> + }
If the incoming data sets the in_use field to INT_MAX then
we get integer overflow on the multiply here. That's
undefined behaviour in C and we probably shouldn't allow
that to happen.
thanks
-- PMM
- [Qemu-devel] [PATCH v5 21/24] virtio-scsi: fix buffer overrun on invalid state load, (continued)
- [Qemu-devel] [PATCH v5 21/24] virtio-scsi: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 20/24] zaurus: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 22/24] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 06/24] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 23/24] usb: sanity check setup_index+setup_len in post_load, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 24/24] savevm: Ignore minimum_version_id_old if there is no load_state_old, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 07/24] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2014/04/03
- Re: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write on load,
Peter Maydell <=
- [Qemu-devel] [PATCH v5 04/24] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2014/04/03
- [Qemu-devel] [PATCH v5 03/24] vmstate: add VMSTATE_VALIDATE, Michael S. Tsirkin, 2014/04/03
- Message not available