On 31 March 2014 15:16, Michael S. Tsirkin <m...@redhat.com> wrote:
> From: Michael Roth <mdr...@linux.vnet.ibm.com>
>
> CVE-2013-6399
>
> vdev->queue_sel is read from the wire, and later used in the
> emulation code as an index into vdev->vq[]. If the value of
> vdev->queue_sel exceeds the length of vdev->vq[], currently
> allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
> operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
> the buffer with arbitrary data originating from the source.
>
> Fix this by failing migration if the value from the wire exceeds
> VIRTIO_PCI_QUEUE_MAX.
>
> Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> hw/virtio/virtio.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index 9008430..bcbfbb2 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
> qemu_get_8s(f, &vdev->status);
> qemu_get_8s(f, &vdev->isr);
> qemu_get_be16s(f, &vdev->queue_sel);
> + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
> + return -1;
> + }
> qemu_get_be32s(f, &features);
>
> if (virtio_set_features(vdev, features) < 0) {
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
We should probably rename VIRTIO_PCI_QUEUE_MAX at some
point -- it's not PCI transport specific.
thanks
-- PMM
