Message ID | 1396275242-10810-17-git-send-email-mst@redhat.com |
---|---|
State | New |
Headers | show |
On 31 March 2014 15:16, Michael S. Tsirkin <mst@redhat.com> wrote: > From: Michael Roth <mdroth@linux.vnet.ibm.com> > > CVE-2013-6399 > > vdev->queue_sel is read from the wire, and later used in the > emulation code as an index into vdev->vq[]. If the value of > vdev->queue_sel exceeds the length of vdev->vq[], currently > allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO > operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun > the buffer with arbitrary data originating from the source. > > Fix this by failing migration if the value from the wire exceeds > VIRTIO_PCI_QUEUE_MAX. > > Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > --- > hw/virtio/virtio.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c > index 9008430..bcbfbb2 100644 > --- a/hw/virtio/virtio.c > +++ b/hw/virtio/virtio.c > @@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) > qemu_get_8s(f, &vdev->status); > qemu_get_8s(f, &vdev->isr); > qemu_get_be16s(f, &vdev->queue_sel); > + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { > + return -1; > + } > qemu_get_be32s(f, &features); > > if (virtio_set_features(vdev, features) < 0) { Reviewed-by: Peter Maydell <peter.maydell@linaro.org> We should probably rename VIRTIO_PCI_QUEUE_MAX at some point -- it's not PCI transport specific. thanks -- PMM
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 9008430..bcbfbb2 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { + return -1; + } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) {