diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-28 16:08:21 +0300 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-07-20 22:05:53 -0500 |
| commit | 331c549b2d78f7792ded44abe9ad30a7e9531cba (patch) | |
| tree | f2e2bc8cb2ec922a8684f7ead9e2cae22176f67b /hw/net | |
| parent | b24cfb0f1ef056263210cd6e80444a1113cea24a (diff) | |
| download | qemu-331c549b2d78f7792ded44abe9ad30a7e9531cba.tar.gz | |
virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'hw/net')
| -rw-r--r-- | hw/net/virtio-net.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 0a8cb40b92..940a7cfe54 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id) if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { qemu_get_buffer(f, n->mac_table.macs, n->mac_table.in_use * ETH_ALEN); - } else if (n->mac_table.in_use) { - uint8_t *buf = g_malloc0(n->mac_table.in_use); - qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); - g_free(buf); + } else { + int64_t i; + + /* Overflow detected - can happen if source has a larger MAC table. + * We simply set overflow flag so there's no need to maintain the + * table of addresses, discard them all. + * Note: 64 bit math to avoid integer overflow. + */ + for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) { + qemu_get_byte(f); + } n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; n->mac_table.in_use = 0; } |