[v5,05/24] virtio-net: out-of-bounds buffer write on load

Message ID	1396543778-22307-6-git-send-email-mst@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> Date: Thu, 3 Apr 2014 19:50:43 +0300 From: "Michael S. Tsirkin" <mst@redhat.com> To: qemu-devel@nongnu.org Message-ID: <1396543778-22307-6-git-send-email-mst@redhat.com> References: <1396543778-22307-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1396543778-22307-1-git-send-email-mst@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org, dgilbert@redhat.com, Anthony Liguori <aliguori@amazon.com>, mdroth@linux.vnet.ibm.com Subject: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write on load Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

1396543778-22307-6-git-send-email-mst@redhat.com

State

New

Headers

Date: Thu, 3 Apr 2014 19:50:43 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Message-ID: <1396543778-22307-6-git-send-email-mst@redhat.com>
References: <1396543778-22307-1-git-send-email-mst@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1396543778-22307-1-git-send-email-mst@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org,
	dgilbert@redhat.com, Anthony Liguori <aliguori@amazon.com>,
	mdroth@linux.vnet.ibm.com
Subject: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer
	write on load
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Michael S. Tsirkin April 3, 2014, 4:50 p.m. UTC

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/net/virtio-net.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

Comments

Peter Maydell April 3, 2014, 5:26 p.m. UTC | #1

On 3 April 2014 17:50, Michael S. Tsirkin <mst@redhat.com> wrote:
> CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
> virtio_net_load()@hw/net/virtio-net.c
>
>>         } else if (n->mac_table.in_use) {
>>             uint8_t *buf = g_malloc0(n->mac_table.in_use);
>
> We are allocating buffer of size n->mac_table.in_use
>
>>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
>
> and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
> ETH_ALEN bytes, corrupting memory.
>
> If adversary controls state then memory written there is controlled
> by adversary.
>
> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>  hw/net/virtio-net.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..c247529 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1362,10 +1362,16 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
>          if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
>              qemu_get_buffer(f, n->mac_table.macs,
>                              n->mac_table.in_use * ETH_ALEN);
> -        } else if (n->mac_table.in_use) {
> -            uint8_t *buf = g_malloc0(n->mac_table.in_use);
> -            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
> -            g_free(buf);
> +        } else {
> +            int i;
> +
> +            /* Overflow detected - can happen if source has a larger MAC table.
> +             * We simply set overflow flag so there's no need to maintain the
> +             * table of addresses, discard them all.
> +             */
> +            for (i = 0; i < n->mac_table.in_use * ETH_ALEN; ++i) {
> +                qemu_get_byte(f);
> +            }

If the incoming data sets the in_use field to INT_MAX then
we get integer overflow on the multiply here. That's
undefined behaviour in C and we probably shouldn't allow
that to happen.

thanks
-- PMM

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 439477b..c247529 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1362,10 +1362,16 @@  static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
             qemu_get_buffer(f, n->mac_table.macs,
                             n->mac_table.in_use * ETH_ALEN);
-        } else if (n->mac_table.in_use) {
-            uint8_t *buf = g_malloc0(n->mac_table.in_use);
-            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
-            g_free(buf);
+        } else {
+            int i;
+
+            /* Overflow detected - can happen if source has a larger MAC table.
+             * We simply set overflow flag so there's no need to maintain the
+             * table of addresses, discard them all.
+             */
+            for (i = 0; i < n->mac_table.in_use * ETH_ALEN; ++i) {
+                qemu_get_byte(f);
+            }
             n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
             n->mac_table.in_use = 0;
         }

[v5,05/24] virtio-net: out-of-bounds buffer write on load

Commit Message

Comments

Patch