rpms / qemu

Clone
Source Code
GIT

Blame 0322-virtio-net-out-of-bounds-buffer-write-on-load.patch

el4 el5 el6 eln epel7 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main private-bonzini-demo private-bonzini-demo-f20 private-bonzini-el6 private-bonzini-mpath private-bonzini-tcmalloc private-ehabkost-fixing-exclusivearch private-glommer-merge rawhide
  1.   a1c144d27620975235c4583d853bad237bc9673e
  2.   0322-virtio-net-out-of-bounds-buffer-write-on-load.patch
Blob History Raw
e976b46 
From: "Michael S. Tsirkin" <mst@redhat.com>
e976b46 
Date: Mon, 28 Apr 2014 16:08:21 +0300
e976b46 
Subject: [PATCH] virtio-net: out-of-bounds buffer write on load
e976b46
e976b46 
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
e976b46 
virtio_net_load()@hw/net/virtio-net.c
e976b46
e976b46 
>         } else if (n->mac_table.in_use) {
e976b46 
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);
e976b46
e976b46 
We are allocating buffer of size n->mac_table.in_use
e976b46
e976b46 
>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
e976b46
e976b46 
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
e976b46 
ETH_ALEN bytes, corrupting memory.
e976b46
e976b46 
If adversary controls state then memory written there is controlled
e976b46 
by adversary.
e976b46
e976b46 
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
e976b46 
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
e976b46 
Signed-off-by: Juan Quintela <quintela@redhat.com>
e976b46 
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
e976b46 
---
e976b46 
 hw/net/virtio-net.c | 15 +++++++++++----
e976b46 
 1 file changed, 11 insertions(+), 4 deletions(-)
e976b46
e976b46 
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
e976b46 
index 5907e96..8064092 100644
e976b46 
--- a/hw/net/virtio-net.c
e976b46 
+++ b/hw/net/virtio-net.c
e976b46 
@@ -1334,10 +1334,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
e976b46 
         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
e976b46 
             qemu_get_buffer(f, n->mac_table.macs,
e976b46 
                             n->mac_table.in_use * ETH_ALEN);
e976b46 
-        } else if (n->mac_table.in_use) {
e976b46 
-            uint8_t *buf = g_malloc0(n->mac_table.in_use);
e976b46 
-            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
e976b46 
-            g_free(buf);
e976b46 
+        } else {
e976b46 
+            int64_t i;
e976b46 
+
e976b46 
+            /* Overflow detected - can happen if source has a larger MAC table.
e976b46 
+             * We simply set overflow flag so there's no need to maintain the
e976b46 
+             * table of addresses, discard them all.
e976b46 
+             * Note: 64 bit math to avoid integer overflow.
e976b46 
+             */
e976b46 
+            for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
e976b46 
+                qemu_get_byte(f);
e976b46 
+            }
e976b46 
             n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
e976b46 
             n->mac_table.in_use = 0;
e976b46 
         }
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.