[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 00/23] qemu state loading issues
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PATCH 00/23] qemu state loading issues |
Date: |
Tue, 3 Dec 2013 18:28:19 +0200 |
(the following excellent explanation is due to Petr Matousek)
The state loading functionality was written under
the assumption that the state being loaded can be trusted. This is
mostly true, but we have identified at least two scenarios where it's
not:
* An attacker who has complete control over source qemu-kvm/node (via
another flaw) and wants to attack destination node (source and
destination for live migration). He can thus change the migration
data that will be processed on the destination node, potentially
allowing exploitation and remote code execution.
Also, migration initiation is a privileged operation, but I think the
attacker on the source node could probably fake some symptoms that
would either make some automated process to start migrating off VMs
from the node or make node admin to notice and start manual
migration.
MITM attack is not considered to be security relevant since the
security between endpoints can be considered to be configuration
issue.
* Saving/Loading state to/from file.
For example:
https://bugzilla.redhat.com/show_bug.cgi?id=588133#c8
https://bugzilla.redhat.com/show_bug.cgi?id=588133#c9
After I have identified a first issue like this,
a full audit of the qemu code base was done by Anthony Liguori, Michael
Roth, myself and others, and found multiple instances where loading in
invalid image would corrupt QEMU memory, in some instances making it
possible to overwrite it with attacker-controlled data.
This patchset is the result of that audit: it addresses this set of
security issues by adding input validation and failing migration on
invalid input.
Considering the preconditions, I think that the impact on typical qemu usage is
low. Still, I think these patches make sense for qemu-stable.
Lots of thanks to Stefan Hajnoczi, Gerd Hoffmann, Kevin Wolf, Paolo
Bonzini and Hans de Goede, for help with the code audit. Petr
Matousek for review. I hope I didn't forget anyone involved, if I did
I apologize in advance.
I have parked them on my tree for now so they are not lost.
Please review, and consider for stable and 1.8.
Gerd Hoffmann (1):
usb: sanity check setup_index+setup_len in post_load
Michael Roth (6):
stellaris_enet: avoid buffer overrun on incoming migration
stellaris_enet: avoid buffer overrun on incoming migration (part 2)
stellaris_enet: avoid buffer orerrun on incoming migration (part 3)
virtio: avoid buffer overrun on incoming migration
openpic: avoid buffer overrun on incoming migration
pxa2xx: avoid buffer overrun on incoming migration
Michael S. Tsirkin (16):
virtio-net: fix buffer overflow on invalid state load
virtio-net: out-of-bounds buffer write on load
virtio-net: out-of-bounds buffer write on invalid state load
virtio: out-of-bounds buffer write on invalid state load
ahci: fix buffer overrun on invalid state load
hpet: fix buffer overrun on invalid state load
hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
pl022: fix buffer overun on invalid state load
target-arm/machine.c: fix buffer overflow on invalid state load
virtio: validate num_sg when mapping
ssi-sd: fix buffer overrun on invalid state load
ssd0323: fix buffer overun on invalid state load
tsc210x: fix buffer overrun on invalid state load
zaurus: fix buffer overrun on invalid state load
virtio-scsi: fix buffer overrun on invalid state load
savevm: fix potential segfault on invalid state
include/hw/virtio/virtio-net.h | 4 ++--
hw/arm/pxa2xx.c | 6 ++++--
hw/display/ssd0323.c | 3 +++
hw/gpio/zaurus.c | 2 +-
hw/ide/ahci.c | 2 +-
hw/input/tsc210x.c | 12 ++++++++++++
hw/intc/openpic.c | 3 +++
hw/net/stellaris_enet.c | 31 +++++++++++++++++++++----------
hw/net/virtio-net.c | 13 ++++++++++---
hw/pci/pcie_aer.c | 15 +++++++++++++--
hw/scsi/virtio-scsi.c | 2 ++
hw/sd/ssi-sd.c | 3 +++
hw/ssi/pl022.c | 12 ++++++++++++
hw/timer/hpet.c | 18 +++++++++++++-----
hw/usb/bus.c | 4 ++++
hw/virtio/virtio.c | 17 ++++++++++++++++-
savevm.c | 3 +++
target-arm/machine.c | 4 ++++
18 files changed, 127 insertions(+), 27 deletions(-)
--
MST
- [Qemu-devel] [PATCH 00/23] qemu state loading issues,
Michael S. Tsirkin <=
- [Qemu-devel] [PATCH 01/23] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 02/23] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 03/23] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 05/23] ahci: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 06/23] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 07/23] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2013/12/03