[Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping

Michael Roth Wed, 09 Jul 2014 16:11:16 -0700

From: "Michael S. Tsirkin" <m...@redhat.com>

CVE-2013-4535
CVE-2013-4536


Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdr...@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Cc: Amit Shah <amit.s...@redhat.com>
Signed-off-by: Juan Quintela <quint...@redhat.com>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 705fad9..c2c9b5a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -427,6 +427,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
     unsigned int i;
     hwaddr len;
 
+    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+        error_report("virtio: map attempt out of bounds: %zd > %d",
+                     num_sg, VIRTQUEUE_MAX_SIZE);
+        exit(1);
+    }
+
     for (i = 0; i < num_sg; i++) {
         len = sg[i].iov_len;
         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
-- 
1.9.1

[Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping

Reply via email to