Re: [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Laszlo Ersek <lersek@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>, qemu-devel@nongnu.org
Cc: Anthony Liguori <anthony@codemonkey.ws>,
	KONRAD Frederic <fred.konrad@greensocs.com>,
	mdroth@linux.vnet.ibm.com, dgilbert@redhat.com,
	qemu-stable@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load
Date: Mon, 31 Mar 2014 19:21:30 +0200	[thread overview]
Message-ID: <5339A41A.40202@redhat.com> (raw)
In-Reply-To: <1396275242-10810-5-git-send-email-mst@redhat.com>

On 03/31/14 16:16, Michael S. Tsirkin wrote:
> CVE-2013-4148 QEMU 1.0 integer conversion in
> virtio_net_load()@hw/net/virtio-net.c
> 
> Deals with loading a corrupted savevm image.
> 
>>         n->mac_table.in_use = qemu_get_be32(f);
> 
> in_use is int so it can get negative when assigned 32bit unsigned value.
> 
>>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
> 
> passing this check ^^^
> 
>>             qemu_get_buffer(f, n->mac_table.macs,
>>                             n->mac_table.in_use * ETH_ALEN);
> 
> with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
> positive and bigger than mac_table.macs. For example 0x81000000
> satisfies this condition when ETH_ALEN is 6.
> 
> A similar problem exists with is_multi.

("first_multi")

> 
> Fix both by making the value unsigned.
> 
> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> Edit: "for consistency, change first_multi as well".
> 
> Note: all call sites were audited to confirm that
> making them unsigned didn't cause any issues:
> it turns out we actually never do math on them,
> so it's easy to validate because both values are
> always <= MAC_TABLE_ENTRIES.
> ---
>  include/hw/virtio/virtio-net.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
> index df60f16..4b32440 100644
> --- a/include/hw/virtio/virtio-net.h
> +++ b/include/hw/virtio/virtio-net.h
> @@ -176,8 +176,8 @@ typedef struct VirtIONet {
>      uint8_t nobcast;
>      uint8_t vhost_started;
>      struct {
> -        int in_use;
> -        int first_multi;
> +        uint32_t in_use;
> +        uint32_t first_multi;
>          uint8_t multi_overflow;
>          uint8_t uni_overflow;
>          uint8_t *macs;
> 

I ran

  git grep -EHn '\<(in_use|first_multi)\>'

Many hits, hard to audit (esp. because I'm unfamiliar with the code).
Several loops with signed int loop variables. I checked cursorily.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

next prev parent reply	other threads:[~2014-03-31 17:21 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-31 14:15 [Qemu-devel] [PATCH v4 00/30] qemu state loading issues Michael S. Tsirkin
2014-03-31 14:15 ` [Qemu-devel] [PATCH v4 01/30] vmstate: reduce code duplication Michael S. Tsirkin
2014-03-31 15:01   ` Dr. David Alan Gilbert
2014-03-31 15:27     ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 02/30] vmstate: add VMS_MUST_EXIST Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 03/30] vmstate: add VMSTATE_VALIDATE Michael S. Tsirkin
2014-04-01 10:39   ` Dr. David Alan Gilbert
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load Michael S. Tsirkin
2014-03-31 17:21   ` Laszlo Ersek [this message]
2014-03-31 19:34     ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 05/30] virtio-net: out-of-bounds buffer write on load Michael S. Tsirkin
2014-04-01  8:45   ` Dr. David Alan Gilbert
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 07/30] virtio: " Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 08/30] ahci: fix buffer overrun " Michael S. Tsirkin
2014-03-31 15:31   ` Peter Maydell
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 09/30] hpet: " Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns " Michael S. Tsirkin
2014-04-01 10:56   ` Dr. David Alan Gilbert
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun " Michael S. Tsirkin
2014-03-31 15:04   ` Peter Maydell
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c Michael S. Tsirkin
2014-03-31 15:40   ` Peter Maydell
2014-04-01 15:12     ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-03-31 17:11   ` Dr. David Alan Gilbert
2014-03-31 20:49     ` Michael S. Tsirkin
2014-03-31 21:13       ` Peter Maydell
2014-04-01 15:19         ` Michael S. Tsirkin
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2) Michael S. Tsirkin
2014-04-01  9:43   ` Dr. David Alan Gilbert
2014-04-01 10:05     ` Peter Maydell
2014-04-01 11:52       ` Peter Maydell
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3) Michael S. Tsirkin
2014-04-01  9:51   ` Dr. David Alan Gilbert
2014-04-01 10:06     ` Peter Maydell
2014-04-01 15:22       ` Michael S. Tsirkin
2014-04-01 15:56         ` Peter Maydell
2014-04-01 14:42   ` Eric Blake
2014-03-31 14:16 ` [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-03-31 16:09   ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 17/30] openpic: " Michael S. Tsirkin
2014-03-31 15:55   ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 18/30] virtio: validate num_sg when mapping Michael S. Tsirkin
2014-04-01  9:10   ` Amit Shah
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 19/30] pxa2xx: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-03-31 15:29   ` Peter Maydell
2014-03-31 17:26   ` Don Koch
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 20/30] ssi-sd: fix buffer overrun on invalid state load Michael S. Tsirkin
2014-03-31 15:44   ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 21/30] ssd0323: fix buffer overun " Michael S. Tsirkin
2014-03-31 15:35   ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 22/30] tsc210x: fix buffer overrun " Michael S. Tsirkin
2014-03-31 15:39   ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 23/30] zaurus: " Michael S. Tsirkin
2014-04-01 11:18   ` Dr. David Alan Gilbert
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 24/30] usb: sanity check setup_index+setup_len in post_load Michael S. Tsirkin
2014-03-31 15:48   ` Peter Maydell
2014-04-01  6:23     ` Gerd Hoffmann
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 25/30] virtio-scsi: fix buffer overrun on invalid state load Michael S. Tsirkin
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 26/30] savevm: fix potential segfault on invalid state Michael S. Tsirkin
2014-03-31 16:04   ` Peter Maydell
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 27/30] vmxnet3: validate interrupt indices coming from guest Michael S. Tsirkin
2014-03-31 15:45   ` Dr. David Alan Gilbert
2014-04-01  9:54     ` Dmitry Fleytman
2014-04-01 10:03       ` Dr. David Alan Gilbert
2014-04-01 11:33   ` Dr. David Alan Gilbert
2014-04-01 13:04     ` Dmitry Fleytman
2014-04-01 13:07       ` Dr. David Alan Gilbert
2014-04-03 16:07         ` Michael S. Tsirkin
2014-04-04  9:47           ` Dmitry Fleytman
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 28/30] vmxnet3: validate interrupt indices read on migration Michael S. Tsirkin
2014-03-31 16:33   ` Dr. David Alan Gilbert
2014-03-31 19:38     ` Michael S. Tsirkin
2014-04-01 10:15       ` Dmitry Fleytman
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 29/30] vmxnet3: validate queues configuration coming from quest Michael S. Tsirkin
2014-03-31 15:48   ` Dr. David Alan Gilbert
2014-04-01 10:04     ` Dmitry Fleytman
2014-04-01 14:52       ` Michael S. Tsirkin
2014-04-01 18:40         ` Dmitry Fleytman
2014-03-31 14:17 ` [Qemu-devel] [PATCH v4 30/30] vmxnet3: validate queues configuration read on migration Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5339A41A.40202@redhat.com \
    --to=lersek@redhat.com \
    --cc=anthony@codemonkey.ws \
    --cc=dgilbert@redhat.com \
    --cc=fred.konrad@greensocs.com \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=mst@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.