add virtio-net-fix-guest-triggerable-buffer-overrun-CVE-2014-0150.patch

[pve-qemu-kvm.git] / debian / patches / virtio-net-fix-guest-triggerable-buffer-overrun-CVE-2014-0150.patch

From edc243851279e3393000b28b6b69454cae1190ef Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Fri, 11 Apr 2014 15:18:08 +0300
Subject: [PATCH] virtio-net: fix guest-triggerable buffer overrun
Bug-Debian: http://bugs.debian.org/744221

When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.

To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {

however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.

Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.

CVE-2014-0150

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Backported-to-1.7: Michael Tokarev <mjt@tls.msk.ru>
---
 hw/net/virtio-net.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -656,7 +656,7 @@ static int virtio_net_handle_mac(VirtION
         goto error;
     }
 
-    if (n->mac_table.in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
+    if (mac_data.entries <= MAC_TABLE_ENTRIES - n->mac_table.in_use) {
         s = iov_to_buf(iov, iov_cnt, 0,
                        &n->mac_table.macs[n->mac_table.in_use * ETH_ALEN],
                        mac_data.entries * ETH_ALEN);