1 From 9229c44bfa3549085ac68265d9be95a8552c4fa4 Mon Sep 17 00:00:00 2001
2 From: "Michael S. Tsirkin" <mst@redhat.com>
3 Date: Thu, 3 Apr 2014 19:50:56 +0300
4 Subject: [PATCH] virtio-net: out-of-bounds buffer write on invalid state load
6 CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
7 virtio_net_load()@hw/net/virtio-net.c
9 This code is in hw/net/virtio-net.c:
11 if (n->max_queues > 1) {
12 if (n->max_queues != qemu_get_be16(f)) {
13 error_report("virtio-net: different max_queues ");
17 n->curr_queues = qemu_get_be16(f);
18 for (i = 1; i < n->curr_queues; i++) {
19 n->vqs[i].tx_waiting = qemu_get_be32(f);
23 Number of vqs is max_queues, so if we get invalid input here,
24 for example if max_queues = 2, curr_queues = 3, we get
25 write beyond end of the buffer, with data that comes from
28 This might be used to corrupt qemu memory in hard to predict ways.
29 Since we have lots of function pointers around, RCE might be possible.
31 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
32 Acked-by: Jason Wang <jasowang@redhat.com>
33 Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
34 Signed-off-by: Juan Quintela <quintela@redhat.com>
35 (cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
37 hw/net/virtio-net.c | 5 +++++
38 1 file changed, 5 insertions(+)
40 diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
41 index 33bd233..0a8cb40 100644
42 --- a/hw/net/virtio-net.c
43 +++ b/hw/net/virtio-net.c
44 @@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
47 n->curr_queues = qemu_get_be16(f);
48 + if (n->curr_queues > n->max_queues) {
49 + error_report("virtio-net: curr_queues %x > max_queues %x",
50 + n->curr_queues, n->max_queues);
53 for (i = 1; i < n->curr_queues; i++) {
54 n->vqs[i].tx_waiting = qemu_get_be32(f);
Code Review / packages / centos6 / qemu.git / blob