Patchwork virtio: fix indirect descriptor buffer overflow

login
register
mail settings
Submitter Michael S. Tsirkin
Date July 11, 2011, 1:55 p.m.
Message ID <20110711135542.GA23769@redhat.com>
Download mbox | patch
Permalink /patch/104215/
State New
Headers show

Comments

Michael S. Tsirkin - July 11, 2011, 1:55 p.m.
We were previously allowing arbitrarily-long indirect descriptors, which
could lead to a buffer overflow in qemu-kvm process.

CVE-2011-2212

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/virtio.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

Patch

diff --git a/hw/virtio.c b/hw/virtio.c
index e6043de..8a6f38c 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -449,9 +449,17 @@  int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
         struct iovec *sg;
 
         if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) {
+            if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) {
+                error_report("Too many write descriptors in indirect table");
+                exit(1);
+            }
             elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i);
             sg = &elem->in_sg[elem->in_num++];
         } else {
+            if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) {
+                error_report("Too many read descriptors in indirect table");
+                exit(1);
+            }
             elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i);
             sg = &elem->out_sg[elem->out_num++];
         }