qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write


From: Peter Maydell
Subject: Re: [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write on load
Date: Thu, 3 Apr 2014 18:26:32 +0100

On 3 April 2014 17:50, Michael S. Tsirkin <address@hidden> wrote:
> CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
> virtio_net_load()@hw/net/virtio-net.c
>
>>         } else if (n->mac_table.in_use) {
>>             uint8_t *buf = g_malloc0(n->mac_table.in_use);
>
> We are allocating buffer of size n->mac_table.in_use
>
>>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
>
> and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
> ETH_ALEN bytes, corrupting memory.
>
> If adversary controls state then memory written there is controlled
> by adversary.
>
> Reviewed-by: Michael Roth <address@hidden>
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
>  hw/net/virtio-net.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 439477b..c247529 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1362,10 +1362,16 @@ static int virtio_net_load(QEMUFile *f, void *opaque, 
> int version_id)
>          if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
>              qemu_get_buffer(f, n->mac_table.macs,
>                              n->mac_table.in_use * ETH_ALEN);
> -        } else if (n->mac_table.in_use) {
> -            uint8_t *buf = g_malloc0(n->mac_table.in_use);
> -            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
> -            g_free(buf);
> +        } else {
> +            int i;
> +
> +            /* Overflow detected - can happen if source has a larger MAC 
> table.
> +             * We simply set overflow flag so there's no need to maintain the
> +             * table of addresses, discard them all.
> +             */
> +            for (i = 0; i < n->mac_table.in_use * ETH_ALEN; ++i) {
> +                qemu_get_byte(f);
> +            }

If the incoming data sets the in_use field to INT_MAX then
we get integer overflow on the multiply here. That's
undefined behaviour in C and we probably shouldn't allow
that to happen.

thanks
-- PMM



reply via email to

[Prev in Thread] Current Thread [Next in Thread]