* Michael S. Tsirkin (m...@redhat.com) wrote:
> CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
> virtio_net_load()@hw/net/virtio-net.c
>
> > } else if (n->mac_table.in_use) {
> > uint8_t *buf = g_malloc0(n->mac_table.in_use);
>
> We are allocating buffer of size n->mac_table.in_use
>
> > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
>
> and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
> ETH_ALEN bytes, corrupting memory.
>
> If adversary controls state then memory written there is controlled
> by adversary.
>
> Reviewed-by: Michael Roth <mdr...@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> hw/net/virtio-net.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..8d037b1 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1363,9 +1363,15 @@ static int virtio_net_load(QEMUFile *f, void *opaque,
> int version_id)
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
> } else if (n->mac_table.in_use) {
You can lose that 'else if' test;
if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
qemu_get_buffer(f, n->mac_table.macs,
n->mac_table.in_use * ETH_ALEN);
} else if (n->mac_table.in_use) {
to get to the else in_use > MAC_TABLE_ENTRIES.
Dave
> - uint8_t *buf = g_malloc0(n->mac_table.in_use);
> - qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
> - g_free(buf);
> + int i;
> +
> + /* Overflow detected - can happen if source has a larger MAC
> table.
> + * We simply set overflow flag so there's no need to maintain the
> + * table of addresses, discard them all.
> + */
> + for (i = 0; i < n->mac_table.in_use * ETH_ALEN; ++i) {
> + qemu_get_byte(f);
> + }
> n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
> n->mac_table.in_use = 0;
> }
> --
> MST
>
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
