Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

This fixes a warning from the static code analysis (smatch).
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
Acked-by: NAurelien Jarno <aurelien@aurel32.net>

Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Current css code saves the operation request block (orb) in the
subchannel structure for later consumption by the start function
handler. This might make sense for asynchronous execution of the
start function (which qemu doesn't support), but not in our case;
it would even be wrong since orb contains a reference to a local
variable in the base ssch handler.

Let's just pass the orb through the start function call chain for
ssch; for rsch, we can pass NULL as the backend function does not
use any information passed via the orb there.
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182
Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.
Reported-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4539

s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.

Validate after load to avoid buffer overrun.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NDon Koch <dkoch@verizon.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.
Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: NAnthony Liguori <anthony@codemonkey.ws>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.
Reported-by: NAnthony Liguori <anthony@codemonkey.ws>
Reported-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: NAnthony Liguori <anthony@codemonkey.ws>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: NAnthony Liguori <anthony@codemonkey.ws>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

PortioList is an abstraction used for construction of MemoryRegionPortioList
from MemoryRegionPortio. It can be used later to unmap created memory regions.
It also requires proper cleanup because some of the memory inside is allocated
dynamically.

By moving PortioList ot device state we make it possible to cleanup later and
avoid leaking memory.

This change spans several target platforms.  The following testcases cover all
changed lines:
  qemu-system-ppc -M prep
  qemu-system-i386 -vga qxl
  qemu-system-i386 -M isapc -soundhw adlib -device ib700,id=watchdog0,bus=isa.0
Signed-off-by: NKirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Using error_is_set(ERRP) to find out whether a function failed is
either wrong, fragile, or unnecessarily opaque.  It's wrong when ERRP
may be null, because errors go undetected when it is.  It's fragile
when proving ERRP non-null involves a non-local argument.  Else, it's
unnecessarily opaque (see commit 84d18f06).

I guess the error_is_set(errp) in the DeviceClass realize() methods
are merely fragile right now, because I can't find a call chain that
passes a null errp argument.

Make the code more robust and more obviously correct: receive the
error in a local variable, then propagate it through the parameter.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Acked-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Using error_is_set(ERRP) to find out whether a function failed is
either wrong, fragile, or unnecessarily opaque.  It's wrong when ERRP
may be null, because errors go undetected when it is.  It's fragile
when proving ERRP non-null involves a non-local argument.  Else, it's
unnecessarily opaque (see commit 84d18f06).

I guess the error_is_set(errp) in the ObjectProperty set() methods are
merely fragile right now, because I can't find a call chain that
passes a null errp argument.

Make the code more robust and more obviously correct: receive the
error in a local variable, then propagate it through the parameter.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

No need to go through qemu_machine field. Use
MachineClass fields directly.
Signed-off-by: NMarcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

In order to eliminate the QEMUMachine indirection,
add its fields directly to MachineClass.
Do not yet remove qemu_machine field because it is
still in use by sPAPR.
Signed-off-by: NMarcel Apfelbaum <marcel.a@redhat.com>
[AF: Copied fields for sPAPR, too]
Signed-off-by: NAndreas Färber <afaerber@suse.de>

CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

Build an aggregate set of smbios tables and an entry point structure.

Insert tables and entry point into fw_cfg respectively under
"etc/smbios/smbios-tables" and "etc/smbios/smbios-anchor".

Machine types <= 2.0 will for now continue using field-by-field
overrides to SeaBIOS defaults, but for machine types 2.1 and up we
expect the BIOS to look for and use the aggregate tables generated
by this patch.
Signed-off-by: NGabriel Somlo <somlo@cmu.edu>

[ kraxel: fix 32bit build ]
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Wu <peter@lekensteyn.nl>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>