diff options
| author | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-04-03 19:51:46 +0300 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-06-26 14:16:13 -0500 |
| commit | 8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1 (patch) | |
| tree | f23a914ab175bf7e43f1790d5de9180a5d83b23f /hw | |
| parent | 630ebeffb4a08f85db748b6908339a60fc213cae (diff) | |
| download | qemu-8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1.zip qemu-8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1.tar.gz qemu-8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1.tar.bz2 | |
virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/virtio/virtio.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 8dc3cb3..705fad9 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -904,6 +904,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { + return -1; + } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) { |