On 11 April 2014 15:21, Michael Tokarev <m...@tls.msk.ru> wrote:
> 11.04.2014 16:18, Michael S. Tsirkin wrote:
>> When VM guest programs multicast addresses for
>> a virtio net card, it supplies a 32 bit
>> entries counter for the number of addresses.
>> These addresses are read into tail portion of
>> a fixed macs array which has size MAC_TABLE_ENTRIES,
>> at offset equal to in_use.
>>
>> To avoid overflow of this array by guest, qemu attempts
>> to test the size as follows:
>> - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
>>
>> however, as mac_data.entries is uint32_t, this sum
>> can overflow, e.g. if in_use is 1 and mac_data.entries
>> is 0xffffffff then in_use + mac_data.entries will be 0.
>>
>> Qemu will then read guest supplied buffer into this
>> memory, overflowing buffer on heap.
>>
>> CVE-2014-0150
>>
>> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
>
> Reviewed-by: Michael Tokarev <m...@tls.msk.ru>
Applied, thanks. (This is not the clearest code in the world
given we wait so late to validate the value from the guest
but it looks right to me.)
I added a cc: stable too.
-- PMM
