From cc45995294b92d95319b4782750a3580cabdbc0c Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Thu, 3 Apr 2014 19:51:14 +0300 Subject: virtio: out-of-bounds buffer write on invalid state load CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in virtio_load@hw/virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. Signed-off-by: Michael S. Tsirkin Reviewed-by: Michael Roth Signed-off-by: Juan Quintela --- hw/virtio/virtio.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'hw/virtio/virtio.c') diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index aeabf3a..05f05e7 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -891,7 +891,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) int virtio_load(VirtIODevice *vdev, QEMUFile *f) { - int num, i, ret; + int i, ret; + uint32_t num; uint32_t features; uint32_t supported_features; BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); @@ -919,6 +920,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) num = qemu_get_be32(f); + if (num > VIRTIO_PCI_QUEUE_MAX) { + error_report("Invalid number of PCI queues: 0x%x", num); + return -1; + } + for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); if (k->has_variable_vring_alignment) { -- cgit v1.1 From 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1 Mon Sep 17 00:00:00 2001 From: Michael Roth Date: Thu, 3 Apr 2014 19:51:46 +0300 Subject: virtio: avoid buffer overrun on incoming migration CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data originating from the source. Fix this by failing migration if the value from the wire exceeds VIRTIO_PCI_QUEUE_MAX. Signed-off-by: Michael Roth Signed-off-by: Michael S. Tsirkin Reviewed-by: Peter Maydell Signed-off-by: Juan Quintela --- hw/virtio/virtio.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'hw/virtio/virtio.c') diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 05f05e7..0072542 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { + return -1; + } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) { -- cgit v1.1 From 36cf2a37132c7f01fa9adb5f95f5312b27742fd4 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Thu, 3 Apr 2014 19:51:53 +0300 Subject: virtio: validate num_sg when mapping CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: Michael Roth Signed-off-by: Michael S. Tsirkin Cc: Amit Shah Signed-off-by: Juan Quintela --- hw/virtio/virtio.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'hw/virtio/virtio.c') diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 0072542..a70169a 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr, unsigned int i; hwaddr len; + if (num_sg >= VIRTQUEUE_MAX_SIZE) { + error_report("virtio: map attempt out of bounds: %zd > %d", + num_sg, VIRTQUEUE_MAX_SIZE); + exit(1); + } + for (i = 0; i < num_sg; i++) { len = sg[i].iov_len; sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write); -- cgit v1.1 From a890a2f9137ac3cf5b607649e66a6f3a5512d8dc Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 28 Apr 2014 16:08:23 +0300 Subject: virtio: validate config_len on load Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: "Dr. David Alan Gilbert" Signed-off-by: Michael S. Tsirkin Signed-off-by: Juan Quintela -- v2: use %ix and %zx to print config_len values Signed-off-by: Juan Quintela --- hw/virtio/virtio.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'hw/virtio/virtio.c') diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index a70169a..7f4e7ec 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; + int32_t config_len; uint32_t num; uint32_t features; uint32_t supported_features; @@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) features, supported_features); return -1; } - vdev->config_len = qemu_get_be32(f); + config_len = qemu_get_be32(f); + if (config_len != vdev->config_len) { + error_report("Unexpected config length 0x%x. Expected 0x%zx", + config_len, vdev->config_len); + return -1; + } qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f); -- cgit v1.1