virtio: validate num_sg when mapping

CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: N Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com>

virtio: validate num_sg when mapping
CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: N Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com>
36cf2a37 · Michael S. Tsirkin · Juan Quintela · 4b53c2c7 · 36cf2a37
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

hw/virtio/virtio.c hw/virtio/virtio.c +6 -0

未找到文件。
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
    unsigned int i;
    hwaddr len;

+    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+        error_report("virtio: map attempt out of bounds: %zd > %d",
+                     num_sg, VIRTQUEUE_MAX_SIZE);
+        exit(1);
+    }
+
    for (i = 0; i < num_sg; i++) {
        len = sg[i].iov_len;
        sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);