]> xenbits.xensource.com Git - qemu-upstream-4.2-testing.git/commit
projects / qemu-upstream-4.2-testing.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 501d7f8) | patch
virtio-net: fix guest-triggerable buffer overrun
authorMichael S. Tsirkin <mst@redhat.com>
Wed, 4 Mar 2015 17:12:57 +0000 (17:12 +0000)
committerStefano Stabellini <stefano.stabellini@eu.citrix.com>
Thu, 5 Mar 2015 13:22:11 +0000 (13:22 +0000)
commit8c9231f055e1f2a412a6e0aeef72f6b569c82cf8
tree47715076e0a2cd53f46516dfcb7cd10c5dc92113tree
parent501d7f8faa05597ebb0bb54dea7d323967fa449bcommit | diff
virtio-net: fix guest-triggerable buffer overrun

When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.

To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {

however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.

Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.

CVE-2014-0150

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
hw/virtio-net.c diff | blob | history
Obsolete Upstream Qemu based repository for xen-unstable