From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:52300) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SoF4c-0003gm-9f for qemu-devel@nongnu.org; Mon, 09 Jul 2012 10:36:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SoF4X-000839-LC for qemu-devel@nongnu.org; Mon, 09 Jul 2012 10:36:25 -0400 Received: from mail-pb0-f45.google.com ([209.85.160.45]:60098) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SoF4X-00082S-EZ for qemu-devel@nongnu.org; Mon, 09 Jul 2012 10:36:21 -0400 Received: by pbbro12 with SMTP id ro12so20903071pbb.4 for ; Mon, 09 Jul 2012 07:36:18 -0700 (PDT) Message-ID: <4FFAEC5E.8070608@codemonkey.ws> Date: Mon, 09 Jul 2012 09:36:14 -0500 From: Anthony Liguori MIME-Version: 1.0 References: <4FF83BB6.6080304@msgid.tls.msk.ru> In-Reply-To: <4FF83BB6.6080304@msgid.tls.msk.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] CVE-2011-2212: has it been actually fixed? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Michael Tokarev Cc: qemu-devel , "Michael S. Tsirkin" On 07/07/2012 08:37 AM, Michael Tokarev wrote: > I come across a patch in ububtu qemu-kvm package, this: > > From: Nelson Elhage > Date: Thu, 19 May 2011 13:23:17 -0400 > Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors. > > We were previously allowing arbitrarily-long descriptors, which could lead to a > buffer overflow in the qemu-kvm process. I don't have the original thread handy, but while the CVE was still embargoed, we made some changes to Nelson's original patch which is what led to Michael's patch. We had a test case for the bug and confirmed that Michael's patch fixed that test case. Regards, Anthony Liguori > > Index: qemu-kvm-1.1~rc+dfsg/hw/virtio.c > =================================================================== > --- qemu-kvm-1.1~rc+dfsg.orig/hw/virtio.c 2012-06-01 01:19:22.000000000 +0000 > +++ qemu-kvm-1.1~rc+dfsg/hw/virtio.c 2012-06-12 19:31:02.336250076 +0000 > @@ -370,6 +370,11 @@ > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); > num_bufs = i = 0; > desc_pa = vring_desc_addr(desc_pa, i); > + > + if (max> VIRTQUEUE_MAX_SIZE) { > + error_report("Too-large indirect descriptor"); > + exit(1); > + } > } > > do { > @@ -443,6 +448,11 @@ > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); > desc_pa = vring_desc_addr(desc_pa, i); > i = 0; > + > + if (max> VIRTQUEUE_MAX_SIZE) { > + error_report("Too-large indirect descriptor"); > + exit(1); > + } > } > > /* Collect all the descriptors */ > > > And I wonder if it is still needed. The mentioned CVE-2011-2212 > has been fixed before 0.15, by the following: > > > commit c8eac1cfa1e9104a658b4614ada758861b8d823a > Author: Michael S. Tsirkin > Date: Mon Jun 20 13:42:27 2011 +0300 > > virtio: fix indirect descriptor buffer overflow > > We were previously allowing arbitrarily-long indirect descriptors, which > could lead to a buffer overflow in qemu-kvm process. > > CVE-2011-2212 > > Signed-off-by: Michael S. Tsirkin > > diff --git a/hw/virtio.c b/hw/virtio.c > index cc47a06..a8f4940 100644 > --- a/hw/virtio.c > +++ b/hw/virtio.c > @@ -449,9 +449,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) > struct iovec *sg; > > if (vring_desc_flags(desc_pa, i)& VRING_DESC_F_WRITE) { > + if (elem->in_num>= ARRAY_SIZE(elem->in_sg)) { > + error_report("Too many write descriptors in indirect table"); > + exit(1); > + } > elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); > sg =&elem->in_sg[elem->in_num++]; > } else { > + if (elem->out_num>= ARRAY_SIZE(elem->out_sg)) { > + error_report("Too many read descriptors in indirect table"); > + exit(1); > + } > elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); > sg =&elem->out_sg[elem->out_num++]; > } > > > But this one - apparently - fixes a different codepath, no? > > Thanks, > > /mjt >