Re: [Qemu-devel] [PATCH v6 4/5] virtio: validate config_len on load
Michael S. Tsirkin m...@redhat.com wrote:
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: Dr. David Alan Gilbert dgilb...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/virtio/virtio.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 3bad71e..0d5d368 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
int i, ret;
+int32_t config_len;
Has a warning.
/mnt/kvm/qemu/next/hw/virtio/virtio.c: In function ‘virtio_load’:
/mnt/kvm/qemu/next/hw/virtio/virtio.c:931:22: error: format ‘%i’ expects
argument of type ‘int’, but argument 2 has type ‘size_t’ [-Werror=format=]
config_len, vdev-config_len);
^
changing config_len to size_t.
uint32_t num;
uint32_t features;
uint32_t supported_features;
@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
features, supported_features);
return -1;
}
-vdev-config_len = qemu_get_be32(f);
+config_len = qemu_get_be32(f);
+if (config_len != vdev-config_len) {
+error_report(Unexpected config length 0x%x. Expected 0x%x,
and this to:
s/%x/%zx/
Later, Juan.
+ config_len, vdev-config_len);
+return -1;
+}
qemu_get_buffer(f, vdev-config, vdev-config_len);
num = qemu_get_be32(f);
Re: [Qemu-devel] [PATCH v6 4/5] virtio: validate config_len on load
Juan Quintela quint...@redhat.com wrote:
Michael S. Tsirkin m...@redhat.com wrote:
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: Dr. David Alan Gilbert dgilb...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/virtio/virtio.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 3bad71e..0d5d368 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
int i, ret;
+int32_t config_len;
Has a warning.
/mnt/kvm/qemu/next/hw/virtio/virtio.c: In function ‘virtio_load’:
/mnt/kvm/qemu/next/hw/virtio/virtio.c:931:22: error: format ‘%i’
expects argument of type ‘int’, but argument 2 has type ‘size_t’
[-Werror=format=]
config_len, vdev-config_len);
^
changing config_len to size_t.
After discussing with michael, left it as int32_t
uint32_t num;
uint32_t features;
uint32_t supported_features;
@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
features, supported_features);
return -1;
}
-vdev-config_len = qemu_get_be32(f);
+config_len = qemu_get_be32(f);
+if (config_len != vdev-config_len) {
+error_report(Unexpected config length 0x%x. Expected 0x%x,
and this to:
s/%x/%zx/
and use here %ix %zx
Later, Juan.
Later, Juan.
+ config_len, vdev-config_len);
+return -1;
+}
qemu_get_buffer(f, vdev-config, vdev-config_len);
num = qemu_get_be32(f);
