From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42623) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWrko-0004hq-6U for qemu-devel@nongnu.org; Mon, 08 Aug 2016 17:06:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bWrkk-0006G6-TN for qemu-devel@nongnu.org; Mon, 08 Aug 2016 17:06:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44798) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWrkk-0006Ff-Iw for qemu-devel@nongnu.org; Mon, 08 Aug 2016 17:06:30 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u78KxjBx100086 for ; Mon, 8 Aug 2016 17:06:30 -0400 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 24na7fuqwj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 08 Aug 2016 17:06:29 -0400 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 8 Aug 2016 15:06:29 -0600 From: Michael Roth Date: Mon, 8 Aug 2016 16:04:26 -0500 In-Reply-To: <1470690267-31454-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1470690267-31454-1-git-send-email-mdroth@linux.vnet.ibm.com> Message-Id: <1470690267-31454-56-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 55/56] virtio: error out if guest exceeds virtqueue size List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Stefan Hajnoczi From: Stefan Hajnoczi A broken or malicious guest can submit more requests than the virtqueue size permits, causing unbounded memory allocation in QEMU. The guest can submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is not allowed by the VIRTIO 1.0 specification. In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification says: 1. The driver places the buffer into free descriptor(s) in the descriptor table, chaining as necessary and Note that the above code does not take precautions against the available ring buffer wrapping around: this is not possible since the ring buffer is the same size as the descriptor table, so step (1) will prevent such a condition. This implies that placing more buffers into the virtqueue than the descriptor table size is not allowed. QEMU is missing the check to prevent this case. Processing a request allocates a VirtQueueElement leading to unbounded memory allocation controlled by the guest. Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user. This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 Marvel Team, China. Reported-by: Zhenhao Hong Signed-off-by: Stefan Hajnoczi (cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66) Signed-off-by: Michael Roth --- hw/virtio/virtio.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 90f86cf..8ed260a 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) max = vq->vring.num; + if (vq->inuse >= vq->vring.num) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx); -- 1.9.1