From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=52431 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q2KoV-0003nt-SM
	for qemu-devel@nongnu.org; Wed, 23 Mar 2011 05:57:18 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1Q2KoT-0006aY-Ee
	for qemu-devel@nongnu.org; Wed, 23 Mar 2011 05:57:14 -0400
Received: from mx1.redhat.com ([209.132.183.28]:57254)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1Q2KoT-0006aE-3S
	for qemu-devel@nongnu.org; Wed, 23 Mar 2011 05:57:13 -0400
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
	(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p2N9vCfV002334
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Wed, 23 Mar 2011 05:57:12 -0400
Date: Wed, 23 Mar 2011 11:56:57 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20110323095657.GA23292@redhat.com>
References: <20110322163250.GA6426@redhat.com>
	<20110322165506.GB12508@amit-x200.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20110322165506.GB12508@amit-x200.redhat.com>
Subject: [Qemu-devel] Re: [PATCH] virtio-serial: don't crash on invalid input
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Amit Shah <amit.shah@redhat.com>
Cc: qemu-devel@nongnu.org

On Tue, Mar 22, 2011 at 10:25:06PM +0530, Amit Shah wrote:
> On (Tue) 22 Mar 2011 [18:32:50], Michael S. Tsirkin wrote:
> > Fix crash on invalid input in virtio-serial.
> > Discovered by code review, untested.
> > 
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > ---
> >  hw/virtio-serial-bus.c |    3 +++
> >  1 files changed, 3 insertions(+), 0 deletions(-)
> > 
> > diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
> > index e0bf6c5..8807a2f 100644
> > --- a/hw/virtio-serial-bus.c
> > +++ b/hw/virtio-serial-bus.c
> > @@ -654,6 +654,9 @@ static int virtio_serial_load(QEMUFile *f, void *opaque, int version_id)
> >  
> >          id = qemu_get_be32(f);
> >          port = find_port_by_id(s, id);
> > +        if (!port) {
> > +            return -EINVAL;
> > +        }
> 
> Just before this, we matched the ports_map which would bail out if the
> corresponding port isn't avl. in the destination, so this check is
> made redundant.
> 
> 		Amit

You are trusting the remote here, this is a security problem.
A malicious remote will always be able to create arbitrary guest state,
but it should not be able to corrupt the host.

-- 
MST