From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41509)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VnsmR-00056W-Ga
	for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VnsmL-0006OV-H8
	for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:24:59 -0500
Date: Tue, 3 Dec 2013 18:28:19 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <1386087086-3691-1-git-send-email-mst@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] [PATCH 00/23] qemu state loading issues
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org

(the following excellent explanation is due to Petr Matousek)

The state loading functionality was written under
the assumption that the state being loaded can be trusted. This is
mostly true, but we have identified at least two scenarios where it's
not:

* An attacker who has complete control over source qemu-kvm/node (via
  another flaw) and wants to attack destination node (source and
  destination for live migration). He can thus change the migration
  data that will be processed on the destination node, potentially
  allowing exploitation and remote code execution.

  Also, migration initiation is a privileged operation, but I think the
  attacker on the source node could probably fake some symptoms that
  would either make some automated process to start migrating off VMs
  from the node or make node admin to notice and start manual
  migration.

  MITM attack is not considered to be security relevant since the
  security between endpoints can be considered to be configuration
  issue.

* Saving/Loading state to/from file.

  For example:

  https://bugzilla.redhat.com/show_bug.cgi?id=588133#c8
  https://bugzilla.redhat.com/show_bug.cgi?id=588133#c9

After I have identified a first issue like this,
a full audit of the qemu code base was done by Anthony Liguori, Michael
Roth, myself and others, and found multiple instances where loading in
invalid image would corrupt QEMU memory, in some instances making it
possible to overwrite it with attacker-controlled data.

This patchset is the result of that audit: it addresses this set of
security issues by adding input validation and failing migration on
invalid input.

Considering the preconditions, I think that the impact on typical qemu usage is
low.  Still, I think these patches make sense for qemu-stable.

Lots of thanks to Stefan Hajnoczi, Gerd Hoffmann, Kevin Wolf, Paolo
Bonzini and Hans de Goede, for help with the code audit.  Petr
Matousek for review. I hope I didn't forget anyone involved, if I did
I apologize in advance.

I have parked them on my tree for now so they are not lost.

Please review, and consider for stable and 1.8.

Gerd Hoffmann (1):
  usb: sanity check setup_index+setup_len in post_load

Michael Roth (6):
  stellaris_enet: avoid buffer overrun on incoming migration
  stellaris_enet: avoid buffer overrun on incoming migration (part 2)
  stellaris_enet: avoid buffer orerrun on incoming migration (part 3)
  virtio: avoid buffer overrun on incoming migration
  openpic: avoid buffer overrun on incoming migration
  pxa2xx: avoid buffer overrun on incoming migration

Michael S. Tsirkin (16):
  virtio-net: fix buffer overflow on invalid state load
  virtio-net: out-of-bounds buffer write on load
  virtio-net: out-of-bounds buffer write on invalid state load
  virtio: out-of-bounds buffer write on invalid state load
  ahci: fix buffer overrun on invalid state load
  hpet: fix buffer overrun on invalid state load
  hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
  pl022: fix buffer overun on invalid state load
  target-arm/machine.c: fix buffer overflow on invalid state load
  virtio: validate num_sg when mapping
  ssi-sd: fix buffer overrun on invalid state load
  ssd0323: fix buffer overun on invalid state load
  tsc210x: fix buffer overrun on invalid state load
  zaurus: fix buffer overrun on invalid state load
  virtio-scsi: fix buffer overrun on invalid state load
  savevm: fix potential segfault on invalid state

 include/hw/virtio/virtio-net.h |  4 ++--
 hw/arm/pxa2xx.c                |  6 ++++--
 hw/display/ssd0323.c           |  3 +++
 hw/gpio/zaurus.c               |  2 +-
 hw/ide/ahci.c                  |  2 +-
 hw/input/tsc210x.c             | 12 ++++++++++++
 hw/intc/openpic.c              |  3 +++
 hw/net/stellaris_enet.c        | 31 +++++++++++++++++++++----------
 hw/net/virtio-net.c            | 13 ++++++++++---
 hw/pci/pcie_aer.c              | 15 +++++++++++++--
 hw/scsi/virtio-scsi.c          |  2 ++
 hw/sd/ssi-sd.c                 |  3 +++
 hw/ssi/pl022.c                 | 12 ++++++++++++
 hw/timer/hpet.c                | 18 +++++++++++++-----
 hw/usb/bus.c                   |  4 ++++
 hw/virtio/virtio.c             | 17 ++++++++++++++++-
 savevm.c                       |  3 +++
 target-arm/machine.c           |  4 ++++
 18 files changed, 127 insertions(+), 27 deletions(-)

-- 
MST