[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load |
Date: |
Mon, 31 Mar 2014 17:16:24 +0300 |
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
---
hw/net/virtio-net.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 8d037b1..c811fbd 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1413,6 +1413,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque,
int version_id)
}
n->curr_queues = qemu_get_be16(f);
+ if (n->curr_queues > n->max_queues) {
+ error_report("virtio-net: curr_queues %x > max_queues %x",
+ n->curr_queues, n->max_queues);
+ return -1;
+ }
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
--
MST
- [Qemu-devel] [PATCH v4 00/30] qemu state loading issues, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 01/30] vmstate: reduce code duplication, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 02/30] vmstate: add VMS_MUST_EXIST, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 03/30] vmstate: add VMSTATE_VALIDATE, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 05/30] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load,
Michael S. Tsirkin <=
- [Qemu-devel] [PATCH v4 07/30] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31