From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35550) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XoUYm-0003eu-Da for qemu-devel@nongnu.org; Wed, 12 Nov 2014 04:50:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XoUYd-00015w-C7 for qemu-devel@nongnu.org; Wed, 12 Nov 2014 04:49:56 -0500 Received: from mail-wi0-x22f.google.com ([2a00:1450:400c:c05::22f]:51975) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XoUYd-00015r-49 for qemu-devel@nongnu.org; Wed, 12 Nov 2014 04:49:47 -0500 Received: by mail-wi0-f175.google.com with SMTP id l15so332935wiw.14 for ; Wed, 12 Nov 2014 01:49:46 -0800 (PST) Sender: Paolo Bonzini Message-ID: <54632D36.10500@redhat.com> Date: Wed, 12 Nov 2014 10:49:42 +0100 From: Paolo Bonzini MIME-Version: 1.0 References: <1415785203-26938-1-git-send-email-mst@redhat.com> <1415785203-26938-2-git-send-email-mst@redhat.com> In-Reply-To: <1415785203-26938-2-git-send-email-mst@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 1/4] migration: fix parameter validation on ram load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Michael S. Tsirkin" , qemu-devel@nongnu.org Cc: dgilbert@redhat.com, Juan Quintela On 12/11/2014 10:44, Michael S. Tsirkin wrote: > During migration, the values read from migration stream during ram load > are not validated. Especially offset in host_from_stream_offset() and > also the length of the writes in the callers of said function. > > To fix this, we need to make sure that the [offset, offset + length] > range fits into one of the allocated memory regions. > > Validating addr < len should be sufficient since data seems to always be > managed in TARGET_PAGE_SIZE chunks. > > Fixes: CVE-2014-7840 > > Note: follow-up patches add extra checks on each block->host access. > > Signed-off-by: Michael S. Tsirkin > --- > arch_init.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/arch_init.c b/arch_init.c > index 88a5ba0..593a990 100644 > --- a/arch_init.c > +++ b/arch_init.c > @@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, > uint8_t len; > > if (flags & RAM_SAVE_FLAG_CONTINUE) { > - if (!block) { > + if (!block || block->length <= offset) { > error_report("Ack, bad migration stream!"); > return NULL; > } > @@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, > id[len] = 0; > > QTAILQ_FOREACH(block, &ram_list.blocks, next) { > - if (!strncmp(id, block->idstr, sizeof(id))) > + if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { > return memory_region_get_ram_ptr(block->mr) + offset; > + } > } > > error_report("Can't find block %s!", id); > Sort-of Yoda conditionals, i.e. I think "offset >= block->length" and "offset < block->length" would have been more common and indeed that's what you use in patch 3. That's the only comment I have. Series Reviewed-by: Paolo Bonzini