virtio: validate config_len on load

Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: N "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: N Juan Quintela <quintela@redhat.com>

virtio: validate config_len on load
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: N "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: N Juan Quintela <quintela@redhat.com>
a890a2f9 · Michael S. Tsirkin · Juan Quintela · 98f93ddd · a890a2f9
隐藏空白更改
内联并排

Showing with 7 addition and 1 deletion

hw/virtio/virtio.c hw/virtio/virtio.c +7 -1

未找到文件。
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
 int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 {
    int i, ret;
+    int32_t config_len;
    uint32_t num;
    uint32_t features;
    uint32_t supported_features;
@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
                     features, supported_features);
        return -1;
    }
-    vdev->config_len = qemu_get_be32(f);
+    config_len = qemu_get_be32(f);
+    if (config_len != vdev->config_len) {
+        error_report("Unexpected config length 0x%x. Expected 0x%zx",
+                     config_len, vdev->config_len);
+        return -1;
+    }
    qemu_get_buffer(f, vdev->config, vdev->config_len);

    num = qemu_get_be32(f);