[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 057/156] virtio: validate config_len on load
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 057/156] virtio: validate config_len on load |
Date: |
Tue, 8 Jul 2014 12:17:28 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <address@hidden>
---
hw/virtio/virtio.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index c2c9b5a..151fae9 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -895,6 +895,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
int i, ret;
+ int32_t config_len;
uint32_t num;
uint32_t features;
uint32_t supported_features;
@@ -921,7 +922,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
features, supported_features);
return -1;
}
- vdev->config_len = qemu_get_be32(f);
+ config_len = qemu_get_be32(f);
+ if (config_len != vdev->config_len) {
+ error_report("Unexpected config length 0x%x. Expected 0x%zx",
+ config_len, vdev->config_len);
+ return -1;
+ }
qemu_get_buffer(f, vdev->config, vdev->config_len);
num = qemu_get_be32(f);
--
1.9.1
- Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, (continued)
- Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-devel] [PATCH 066/156] virtio: allow mapping up to max queue size, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 151/156] nbd: Shutdown socket before closing., Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 117/156] qcow1: Check maximum cluster size, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 120/156] qcow1: Stricter backing file length check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 057/156] virtio: validate config_len on load,
Michael Roth <=
- [Qemu-devel] [PATCH 155/156] hw: Fix qemu_allocate_irqs() leaks, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10