diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-11 15:18:08 +0300 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2014-04-11 16:02:23 +0100 |
| commit | edc243851279e3393000b28b6b69454cae1190ef (patch) | |
| tree | 1adfa99b1b7df53c830985e6020c573f0437510f | |
| parent | 21e2db72601c48fa593ef7187faf17f324d925c5 (diff) | |
| download | qemu-edc243851279e3393000b28b6b69454cae1190ef.tar.gz | |
virtio-net: fix guest-triggerable buffer overrun
When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.
To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
- if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.
Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.
CVE-2014-0150
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | hw/net/virtio-net.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 439477b954..33bd233a2d 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -677,7 +677,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd, goto error; } - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { + if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) { s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN], mac_data.entries * ETH_ALEN); if (s != mac_data.entries * ETH_ALEN) { |