From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41372) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XW1dh-0007vU-3C for qemu-devel@nongnu.org; Mon, 22 Sep 2014 07:18:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XW1dc-0001Ic-7c for qemu-devel@nongnu.org; Mon, 22 Sep 2014 07:18:41 -0400 Date: Mon, 22 Sep 2014 14:21:40 +0300 From: "Michael S. Tsirkin" Message-ID: <20140922112140.GF14882@redhat.com> References: <1410799208-3250-1-git-send-email-afaerber@suse.de> <1410799208-3250-4-git-send-email-afaerber@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <1410799208-3250-4-git-send-email-afaerber@suse.de> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH v3 3/4] ivshmem: Fix potential OOB r/w access List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Andreas =?iso-8859-1?Q?F=E4rber?= Cc: Bruce Rogers , Sebastian Krahmer , qemu-stable@nongnu.org, qemu-devel@nongnu.org, David Marchand , Sebastian Krahmer , Stefan Hajnoczi , Cam Macdonell On Mon, Sep 15, 2014 at 06:40:07PM +0200, Andreas F=E4rber wrote: > From: Sebastian Krahmer >=20 > Fix OOB access via malformed incoming_posn parameters > and check that requested memory is actually alloc'ed. >=20 > Signed-off-by: Sebastian Krahmer > [AF: Rebased, cleanups, avoid fd leak] > Cc: qemu-stable@nongnu.org > Signed-off-by: Andreas F=E4rber Reviewed-by: Michael S. Tsirkin > --- > hw/misc/ivshmem.c | 27 +++++++++++++++++++++++---- > 1 file changed, 23 insertions(+), 4 deletions(-) >=20 > diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c > index 24f74f6..ecef82a 100644 > --- a/hw/misc/ivshmem.c > +++ b/hw/misc/ivshmem.c > @@ -29,6 +29,7 @@ > =20 > #include > #include > +#include > =20 > #define PCI_VENDOR_ID_IVSHMEM PCI_VENDOR_ID_REDHAT_QUMRANET > #define PCI_DEVICE_ID_IVSHMEM 0x1110 > @@ -410,14 +411,24 @@ static void close_guest_eventfds(IVShmemState *s,= int posn) > =20 > /* this function increase the dynamic storage need to store data about= other > * guests */ > -static void increase_dynamic_storage(IVShmemState *s, int new_min_size= ) { > +static int increase_dynamic_storage(IVShmemState *s, int new_min_size) > +{ > =20 > int j, old_nb_alloc; > =20 > + /* check for integer overflow */ > + if (new_min_size >=3D INT_MAX / sizeof(Peer) - 1 || new_min_size <= =3D 0) { > + return -1; > + } > + > old_nb_alloc =3D s->nb_peers; > =20 > - while (new_min_size >=3D s->nb_peers) > - s->nb_peers =3D s->nb_peers * 2; > + if (new_min_size >=3D s->nb_peers) { > + /* +1 because #new_min_size is used as last array index */ > + s->nb_peers =3D new_min_size + 1; > + } else { > + return 0; > + } > =20 > IVSHMEM_DPRINTF("bumping storage to %d guests\n", s->nb_peers); > s->peers =3D g_realloc(s->peers, s->nb_peers * sizeof(Peer)); > @@ -427,6 +438,8 @@ static void increase_dynamic_storage(IVShmemState *= s, int new_min_size) { > s->peers[j].eventfds =3D NULL; > s->peers[j].nb_eventfds =3D 0; > } > + > + return 0; > } > =20 > static void ivshmem_read(void *opaque, const uint8_t *buf, int size) > @@ -469,7 +482,13 @@ static void ivshmem_read(void *opaque, const uint8= _t *buf, int size) > =20 > /* make sure we have enough space for this guest */ > if (incoming_posn >=3D s->nb_peers) { > - increase_dynamic_storage(s, incoming_posn); > + if (increase_dynamic_storage(s, incoming_posn) < 0) { > + error_report("increase_dynamic_storage() failed"); > + if (tmp_fd !=3D -1) { > + close(tmp_fd); > + } > + return; > + } > } > =20 > if (tmp_fd =3D=3D -1) { > --=20 > 1.8.4.5