From: Michael S. Tsirkin Date: Mon, 28 Apr 2014 13:08:21 +0000 (+0300) Subject: virtio-net: out-of-bounds buffer write on load X-Git-Tag: qemu-xen-4.4.3-rc1~48 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=90d1a97c7560ca593471a0d6b7c6380844789a42;p=qemu-upstream-4.4-testing.git virtio-net: out-of-bounds buffer write on load CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c > } else if (n->mac_table.in_use) { > uint8_t *buf = g_malloc0(n->mac_table.in_use); We are allocating buffer of size n->mac_table.in_use > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); and read to the n->mac_table.in_use size buffer n->mac_table.in_use * ETH_ALEN bytes, corrupting memory. If adversary controls state then memory written there is controlled by adversary. Reviewed-by: Michael Roth Signed-off-by: Michael S. Tsirkin Signed-off-by: Juan Quintela --- diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 5320aab0b..04dc62d4e 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1334,10 +1334,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id) if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { qemu_get_buffer(f, n->mac_table.macs, n->mac_table.in_use * ETH_ALEN); - } else if (n->mac_table.in_use) { - uint8_t *buf = g_malloc0(n->mac_table.in_use); - qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); - g_free(buf); + } else { + int64_t i; + + /* Overflow detected - can happen if source has a larger MAC table. + * We simply set overflow flag so there's no need to maintain the + * table of addresses, discard them all. + * Note: 64 bit math to avoid integer overflow. + */ + for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) { + qemu_get_byte(f); + } n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; n->mac_table.in_use = 0; }