[Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun
@ 2014-04-11 12:18 Michael S. Tsirkin
  2014-04-11 14:21 ` Michael Tokarev
  0 siblings, 1 reply; 3+ messages in thread
From: Michael S. Tsirkin @ 2014-04-11 12:18 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, Anthony Liguori

When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.

To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {

however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.

Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.

CVE-2014-0150

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

Passed basic tests.
CVE fix so pick this up for -rc3?

 hw/net/virtio-net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 439477b..33bd233 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -677,7 +677,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
         goto error;
     }

-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
+    if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) {
         s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN],
                        mac_data.entries * ETH_ALEN);
         if (s != mac_data.entries * ETH_ALEN) {
-- 
MST

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun
  2014-04-11 12:18 [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun Michael S. Tsirkin
@ 2014-04-11 14:21 ` Michael Tokarev
  2014-04-11 15:38   ` Peter Maydell
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Tokarev @ 2014-04-11 14:21 UTC (permalink / raw)
  To: Michael S. Tsirkin; +Cc: Peter Maydell, qemu-devel, Anthony Liguori

11.04.2014 16:18, Michael S. Tsirkin wrote:
> When VM guest programs multicast addresses for
> a virtio net card, it supplies a 32 bit
> entries counter for the number of addresses.
> These addresses are read into tail portion of
> a fixed macs array which has size MAC_TABLE_ENTRIES,
> at offset equal to in_use.
> 
> To avoid overflow of this array by guest, qemu attempts
> to test the size as follows:
> -    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
> 
> however, as mac_data.entries is uint32_t, this sum
> can overflow, e.g. if in_use is 1 and mac_data.entries
> is 0xffffffff then in_use + mac_data.entries will be 0.
> 
> Qemu will then read guest supplied buffer into this
> memory, overflowing buffer on heap.
> 
> CVE-2014-0150
> 
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

> Passed basic tests.
> CVE fix so pick this up for -rc3?
> 
>  hw/net/virtio-net.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..33bd233 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -677,7 +677,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
>          goto error;
>      }
>  
> -    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
> +    if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) {
>          s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN],
>                         mac_data.entries * ETH_ALEN);
>          if (s != mac_data.entries * ETH_ALEN) {
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun
  2014-04-11 14:21 ` Michael Tokarev
@ 2014-04-11 15:38   ` Peter Maydell
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2014-04-11 15:38 UTC (permalink / raw)
  To: Michael Tokarev; +Cc: QEMU Developers, Anthony Liguori, Michael S. Tsirkin

On 11 April 2014 15:21, Michael Tokarev <mjt@tls.msk.ru> wrote:
> 11.04.2014 16:18, Michael S. Tsirkin wrote:
>> When VM guest programs multicast addresses for
>> a virtio net card, it supplies a 32 bit
>> entries counter for the number of addresses.
>> These addresses are read into tail portion of
>> a fixed macs array which has size MAC_TABLE_ENTRIES,
>> at offset equal to in_use.
>>
>> To avoid overflow of this array by guest, qemu attempts
>> to test the size as follows:
>> -    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
>>
>> however, as mac_data.entries is uint32_t, this sum
>> can overflow, e.g. if in_use is 1 and mac_data.entries
>> is 0xffffffff then in_use + mac_data.entries will be 0.
>>
>> Qemu will then read guest supplied buffer into this
>> memory, overflowing buffer on heap.
>>
>> CVE-2014-0150
>>
>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>
> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

Applied, thanks. (This is not the clearest code in the world
given we wait so late to validate the value from the guest
but it looks right to me.)

I added a cc: stable too.

-- PMM

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-04-11 15:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-11 12:18 [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun Michael S. Tsirkin
2014-04-11 14:21 ` Michael Tokarev
2014-04-11 15:38   ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).