From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56870)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1WYcKd-0007Af-PU
	for qemu-devel@nongnu.org; Fri, 11 Apr 2014 10:21:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1WYcKU-0001ft-Gq
	for qemu-devel@nongnu.org; Fri, 11 Apr 2014 10:21:27 -0400
Received: from isrv.corpit.ru ([86.62.121.231]:51545)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1WYcKU-0001fe-Aa
	for qemu-devel@nongnu.org; Fri, 11 Apr 2014 10:21:18 -0400
Message-ID: <5347FA5C.10103@msgid.tls.msk.ru>
Date: Fri, 11 Apr 2014 18:21:16 +0400
From: Michael Tokarev <mjt@tls.msk.ru>
MIME-Version: 1.0
References: <1397218574-25058-1-git-send-email-mst@redhat.com>
In-Reply-To: <1397218574-25058-1-git-send-email-mst@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable
 buffer overrun
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org, Anthony Liguori <aliguori@amazon.com>

11.04.2014 16:18, Michael S. Tsirkin wrote:
> When VM guest programs multicast addresses for
> a virtio net card, it supplies a 32 bit
> entries counter for the number of addresses.
> These addresses are read into tail portion of
> a fixed macs array which has size MAC_TABLE_ENTRIES,
> at offset equal to in_use.
> 
> To avoid overflow of this array by guest, qemu attempts
> to test the size as follows:
> -    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
> 
> however, as mac_data.entries is uint32_t, this sum
> can overflow, e.g. if in_use is 1 and mac_data.entries
> is 0xffffffff then in_use + mac_data.entries will be 0.
> 
> Qemu will then read guest supplied buffer into this
> memory, overflowing buffer on heap.
> 
> CVE-2014-0150
> 
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

> Passed basic tests.
> CVE fix so pick this up for -rc3?
> 
>  hw/net/virtio-net.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..33bd233 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -677,7 +677,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
>          goto error;
>      }
>  
> -    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
> +    if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) {
>          s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN],
>                         mac_data.entries * ETH_ALEN);
>          if (s != mac_data.entries * ETH_ALEN) {
>