diff options
| author | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-04-03 19:51:46 +0300 |
|---|---|---|
| committer | Juan Quintela <quintela@redhat.com> | 2014-05-05 22:15:02 +0200 |
| commit | 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1 (patch) | |
| tree | 83beef3b93918cf372cc3c948398d59e18dea64a /hw/virtio | |
| parent | d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62 (diff) | |
| download | qemu-4b53c2c72cb5541cf394033b528a6fe2a86c0ac1.tar.gz qemu-4b53c2c72cb5541cf394033b528a6fe2a86c0ac1.tar.bz2 qemu-4b53c2c72cb5541cf394033b528a6fe2a86c0ac1.zip | |
virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Diffstat (limited to 'hw/virtio')
| -rw-r--r-- | hw/virtio/virtio.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 05f05e7c10..007254257f 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) qemu_get_8s(f, &vdev->status); qemu_get_8s(f, &vdev->isr); qemu_get_be16s(f, &vdev->queue_sel); + if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { + return -1; + } qemu_get_be32s(f, &features); if (virtio_set_features(vdev, features) < 0) { |