[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffe
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun |
|
Date: |
Fri, 11 Apr 2014 16:38:42 +0100 |
On 11 April 2014 15:21, Michael Tokarev <address@hidden> wrote:
> 11.04.2014 16:18, Michael S. Tsirkin wrote:
>> When VM guest programs multicast addresses for
>> a virtio net card, it supplies a 32 bit
>> entries counter for the number of addresses.
>> These addresses are read into tail portion of
>> a fixed macs array which has size MAC_TABLE_ENTRIES,
>> at offset equal to in_use.
>>
>> To avoid overflow of this array by guest, qemu attempts
>> to test the size as follows:
>> - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
>>
>> however, as mac_data.entries is uint32_t, this sum
>> can overflow, e.g. if in_use is 1 and mac_data.entries
>> is 0xffffffff then in_use + mac_data.entries will be 0.
>>
>> Qemu will then read guest supplied buffer into this
>> memory, overflowing buffer on heap.
>>
>> CVE-2014-0150
>>
>> Signed-off-by: Michael S. Tsirkin <address@hidden>
>
> Reviewed-by: Michael Tokarev <address@hidden>
Applied, thanks. (This is not the clearest code in the world
given we wait so late to validate the value from the guest
but it looks right to me.)
I added a cc: stable too.
-- PMM