From patchwork Wed Jul 27 16:43:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 9250161 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DE94E607F0 for ; Wed, 27 Jul 2016 16:46:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CDAC026598 for ; Wed, 27 Jul 2016 16:46:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C0A3526907; Wed, 27 Jul 2016 16:46:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D38D0223A4 for ; Wed, 27 Jul 2016 16:46:18 +0000 (UTC) Received: from localhost ([::1]:47632 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bSRyL-0005vr-S8 for patchwork-qemu-devel@patchwork.kernel.org; Wed, 27 Jul 2016 12:46:17 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59419) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bSRxv-0005vT-Ub for qemu-devel@nongnu.org; Wed, 27 Jul 2016 12:45:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bSRxt-0001N3-2t for qemu-devel@nongnu.org; Wed, 27 Jul 2016 12:45:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:33956) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bSRxs-0001Mz-Tu; Wed, 27 Jul 2016 12:45:49 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 024F5811AC; Wed, 27 Jul 2016 16:45:48 +0000 (UTC) Received: from localhost (ovpn-112-21.ams2.redhat.com [10.36.112.21]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6RGjkdh013890; Wed, 27 Jul 2016 12:45:47 -0400 From: Stefan Hajnoczi To: "Michael S. Tsirkin" Date: Wed, 27 Jul 2016 17:43:49 +0100 Message-Id: <1469637829-8105-2-git-send-email-stefanha@redhat.com> In-Reply-To: <1469637829-8105-1-git-send-email-stefanha@redhat.com> References: <1469637829-8105-1-git-send-email-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 27 Jul 2016 16:45:48 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/1] virtio: error out if guest exceeds virtqueue size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , sstabellini@kernel.org, pmatouse@redhat.com, Michael Roth , secalert@redhat.com, tangqinghao@360.cn, qemu-devel@nongnu.org, qemu-stable@nongnu.org, zhenhaohong@gmail.com, Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP A broken or malicious guest can submit more requests than the virtqueue size permits, causing unbounded memory allocation in QEMU. The guest can submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is not allowed by the VIRTIO 1.0 specification. In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification says: 1. The driver places the buffer into free descriptor(s) in the descriptor table, chaining as necessary and Note that the above code does not take precautions against the available ring buffer wrapping around: this is not possible since the ring buffer is the same size as the descriptor table, so step (1) will prevent such a condition. This implies that placing more buffers into the virtqueue than the descriptor table size is not allowed. QEMU is missing the check to prevent this case. Processing a request allocates a VirtQueueElement leading to unbounded memory allocation controlled by the guest. Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user. This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 Marvel Team, China. Reported-by: Zhenhao Hong Signed-off-by: Stefan Hajnoczi --- hw/virtio/virtio.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 752b271..28cf504 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -562,6 +562,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) max = vq->vring.num; + if (vq->inuse >= vq->vring.num) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx);