qemu/0068-virtio-net-out-of-bounds-buffer-wri.patch

From 2eae80d0ad4c9d0de849fbe8ad6d7d5fa788fdfb Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:21 +0300
Subject: [PATCH] virtio-net: out-of-bounds buffer write on load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
[AF: BNC#864649]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/net/virtio-net.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 0a8cb40..940a7cf 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
             qemu_get_buffer(f, n->mac_table.macs,
                             n->mac_table.in_use * ETH_ALEN);
-        } else if (n->mac_table.in_use) {
-            uint8_t *buf = g_malloc0(n->mac_table.in_use);
-            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
-            g_free(buf);
+        } else {
+            int64_t i;
+
+            /* Overflow detected - can happen if source has a larger MAC table.
+             * We simply set overflow flag so there's no need to maintain the
+             * table of addresses, discard them all.
+             * Note: 64 bit math to avoid integer overflow.
+             */
+            for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
+                qemu_get_byte(f);
+            }
             n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
             n->mac_table.in_use = 0;
         }
Accepting request 235280 from home:a_faerber:branches:Virtualization Fix CVE-2013-4148 (bnc#864812), CVE-2013-4149 (bnc#864649), CVE-2013-4150 (bnc#864650), CVE-2013-4151 (bnc#864653), CVE-2013-4526 (bnc#864671), CVE-2013-4527 (bnc#864673), CVE-2013-4529 (bnc#864678), CVE-2013-4530 (bnc#864682), CVE-2013-4531 (bnc#864796), CVE-2013-4533 (bnc#864655), CVE-2013-4534 (bnc#864811), CVE-2013-4535 / CVE-2013-4536 (bnc#864665), CVE-2013-4537 (bnc#864391), CVE-2013-4538 (bnc#864769), CVE-2013-4539 (bnc#864805), CVE-2013-4540 (bnc#864801), CVE-2013-4541 (bnc#864802), CVE-2013-4542 (bnc#864804), CVE-2013-6399 (bnc#864814), CVE-2014-0182 (bnc#874788) OBS-URL: https://build.opensuse.org/request/show/235280 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=211 2014-05-24 14:11:00 +02:00			`From 2eae80d0ad4c9d0de849fbe8ad6d7d5fa788fdfb Mon Sep 17 00:00:00 2001`
			`From: "Michael S. Tsirkin" <mst@redhat.com>`
			`Date: Mon, 28 Apr 2014 16:08:21 +0300`
			`Subject: [PATCH] virtio-net: out-of-bounds buffer write on load`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in`
			`virtio_net_load()@hw/net/virtio-net.c`

			`> } else if (n->mac_table.in_use) {`
			`> uint8_t *buf = g_malloc0(n->mac_table.in_use);`

			`We are allocating buffer of size n->mac_table.in_use`

			`> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);`

			`and read to the n->mac_table.in_use size buffer n->mac_table.in_use *`
			`ETH_ALEN bytes, corrupting memory.`

			`If adversary controls state then memory written there is controlled`
			`by adversary.`

			`Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Juan Quintela <quintela@redhat.com>`
			`(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)`
			`[AF: BNC#864649]`
			`Signed-off-by: Andreas Färber <afaerber@suse.de>`
			`---`
			`hw/net/virtio-net.c \| 15 +++++++++++----`
			`1 file changed, 11 insertions(+), 4 deletions(-)`

			`diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c`
			`index 0a8cb40..940a7cf 100644`
			`--- a/hw/net/virtio-net.c`
			`+++ b/hw/net/virtio-net.c`
			`@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile f, void opaque, int version_id)`
			`if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {`
			`qemu_get_buffer(f, n->mac_table.macs,`
			`n->mac_table.in_use * ETH_ALEN);`
			`- } else if (n->mac_table.in_use) {`
			`- uint8_t *buf = g_malloc0(n->mac_table.in_use);`
			`- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);`
			`- g_free(buf);`
			`+ } else {`
			`+ int64_t i;`
			`+`
			`+ /* Overflow detected - can happen if source has a larger MAC table.`
			`+ * We simply set overflow flag so there's no need to maintain the`
			`+ * table of addresses, discard them all.`
			`+ * Note: 64 bit math to avoid integer overflow.`
			`+ */`
			`+ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {`
			`+ qemu_get_byte(f);`
			`+ }`
			`n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;`
			`n->mac_table.in_use = 0;`
			`}`