From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel <qemu-devel@nongnu.org>,
"Michael S. Tsirkin" <mst@redhat.com>
Subject: [Qemu-devel] CVE-2011-2212: has it been actually fixed?
Date: Sat, 07 Jul 2012 17:37:58 +0400 [thread overview]
Message-ID: <4FF83BB6.6080304@msgid.tls.msk.ru> (raw)
I come across a patch in ububtu qemu-kvm package, this:
From: Nelson Elhage <nelhage@ksplice.com>
Date: Thu, 19 May 2011 13:23:17 -0400
Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors.
We were previously allowing arbitrarily-long descriptors, which could lead to a
buffer overflow in the qemu-kvm process.
Index: qemu-kvm-1.1~rc+dfsg/hw/virtio.c
===================================================================
--- qemu-kvm-1.1~rc+dfsg.orig/hw/virtio.c 2012-06-01 01:19:22.000000000 +0000
+++ qemu-kvm-1.1~rc+dfsg/hw/virtio.c 2012-06-12 19:31:02.336250076 +0000
@@ -370,6 +370,11 @@
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
num_bufs = i = 0;
desc_pa = vring_desc_addr(desc_pa, i);
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
do {
@@ -443,6 +448,11 @@
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
desc_pa = vring_desc_addr(desc_pa, i);
i = 0;
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
/* Collect all the descriptors */
And I wonder if it is still needed. The mentioned CVE-2011-2212
has been fixed before 0.15, by the following:
commit c8eac1cfa1e9104a658b4614ada758861b8d823a
Author: Michael S. Tsirkin <mst@redhat.com>
Date: Mon Jun 20 13:42:27 2011 +0300
virtio: fix indirect descriptor buffer overflow
We were previously allowing arbitrarily-long indirect descriptors, which
could lead to a buffer overflow in qemu-kvm process.
CVE-2011-2212
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
diff --git a/hw/virtio.c b/hw/virtio.c
index cc47a06..a8f4940 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -449,9 +449,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
struct iovec *sg;
if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) {
+ if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) {
+ error_report("Too many write descriptors in indirect table");
+ exit(1);
+ }
elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i);
sg = &elem->in_sg[elem->in_num++];
} else {
+ if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) {
+ error_report("Too many read descriptors in indirect table");
+ exit(1);
+ }
elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i);
sg = &elem->out_sg[elem->out_num++];
}
But this one - apparently - fixes a different codepath, no?
Thanks,
/mjt
next reply other threads:[~2012-07-07 13:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-07 13:37 Michael Tokarev [this message]
2012-07-09 14:36 ` [Qemu-devel] CVE-2011-2212: has it been actually fixed? Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FF83BB6.6080304@msgid.tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.