On (Mon) 31 Mar 2014 [17:17:05], Michael S. Tsirkin wrote:
> CVE-2013-4535
> CVE-2013-4536
>
> Both virtio-block and virtio-serial read,
> VirtQueueElements are read in as buffers, and passed to
> virtqueue_map_sg(), where num_sg is taken from the wire and can force
> writes to indicies beyond VIRTQUEUE_MAX_SIZE.
>
> To fix, validate num_sg.
>
> Reported-by: Michael Roth <mdr...@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> hw/virtio/virtio.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index bcbfbb2..003b6ad 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
> unsigned int i;
> hwaddr len;
>
> + if (num_sg >= VIRTQUEUE_MAX_SIZE) {
> + error_report("virtio: map attempt out of bounds: %d > %d",
> + num_sg, VIRTQUEUE_MAX_SIZE);
> + exit(1);
Doesn't compile; needs to be %zd because num_sg is size_t
Amit
