From: Michael Tokarev <mjt@tls.msk.ru>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
qemu-devel@nongnu.org, Anthony Liguori <aliguori@amazon.com>
Subject: Re: [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun
Date: Fri, 11 Apr 2014 18:21:16 +0400 [thread overview]
Message-ID: <5347FA5C.10103@msgid.tls.msk.ru> (raw)
In-Reply-To: <1397218574-25058-1-git-send-email-mst@redhat.com>
11.04.2014 16:18, Michael S. Tsirkin wrote:
> When VM guest programs multicast addresses for
> a virtio net card, it supplies a 32 bit
> entries counter for the number of addresses.
> These addresses are read into tail portion of
> a fixed macs array which has size MAC_TABLE_ENTRIES,
> at offset equal to in_use.
>
> To avoid overflow of this array by guest, qemu attempts
> to test the size as follows:
> - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
>
> however, as mac_data.entries is uint32_t, this sum
> can overflow, e.g. if in_use is 1 and mac_data.entries
> is 0xffffffff then in_use + mac_data.entries will be 0.
>
> Qemu will then read guest supplied buffer into this
> memory, overflowing buffer on heap.
>
> CVE-2014-0150
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
> Passed basic tests.
> CVE fix so pick this up for -rc3?
>
> hw/net/virtio-net.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..33bd233 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -677,7 +677,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
> goto error;
> }
>
> - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
> + if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) {
> s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN],
> mac_data.entries * ETH_ALEN);
> if (s != mac_data.entries * ETH_ALEN) {
>
next prev parent reply other threads:[~2014-04-11 14:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-11 12:18 [Qemu-devel] [PATCH for-2.0] virtio-net: fix guest-triggerable buffer overrun Michael S. Tsirkin
2014-04-11 14:21 ` Michael Tokarev [this message]
2014-04-11 15:38 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5347FA5C.10103@msgid.tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=aliguori@amazon.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).