From patchwork Mon Aug 8 21:04:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Roth X-Patchwork-Id: 9269869 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 83620607D6 for ; Mon, 8 Aug 2016 22:07:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73E5927FBB for ; Mon, 8 Aug 2016 22:07:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 687B628111; Mon, 8 Aug 2016 22:07:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 52BD327FBB for ; Mon, 8 Aug 2016 22:07:15 +0000 (UTC) Received: from localhost ([::1]:60120 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWshW-0006fY-EM for patchwork-qemu-devel@patchwork.kernel.org; Mon, 08 Aug 2016 18:07:14 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42623) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWrko-0004hq-6U for qemu-devel@nongnu.org; Mon, 08 Aug 2016 17:06:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bWrkk-0006G6-TN for qemu-devel@nongnu.org; Mon, 08 Aug 2016 17:06:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44798) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWrkk-0006Ff-Iw for qemu-devel@nongnu.org; Mon, 08 Aug 2016 17:06:30 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u78KxjBx100086 for ; Mon, 8 Aug 2016 17:06:30 -0400 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 24na7fuqwj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 08 Aug 2016 17:06:29 -0400 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 8 Aug 2016 15:06:29 -0600 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 8 Aug 2016 15:06:27 -0600 X-IBM-Helo: d03dlp02.boulder.ibm.com X-IBM-MailFrom: mdroth@linux.vnet.ibm.com Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 657BE3E40041; Mon, 8 Aug 2016 15:06:26 -0600 (MDT) Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u78L6DE92621784; Mon, 8 Aug 2016 21:06:27 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D7D962804A; Mon, 8 Aug 2016 17:06:25 -0400 (EDT) Received: from localhost (unknown [9.80.86.168]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP id 7EA272803A; Mon, 8 Aug 2016 17:06:25 -0400 (EDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 8 Aug 2016 16:04:26 -0500 X-Mailer: git-send-email 1.9.1 In-Reply-To: <1470690267-31454-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1470690267-31454-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16080821-0020-0000-0000-0000098247E0 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00005568; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000178; SDB=6.00741898; UDB=6.00349152; IPR=6.00514457; BA=6.00004651; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00012252; XFM=3.00000011; UTC=2016-08-08 21:06:28 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16080821-0021-0000-0000-000054644FDD Message-Id: <1470690267-31454-56-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-08_15:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=62 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608080226 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 55/56] virtio: error out if guest exceeds virtqueue size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org, Stefan Hajnoczi Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Stefan Hajnoczi A broken or malicious guest can submit more requests than the virtqueue size permits, causing unbounded memory allocation in QEMU. The guest can submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is not allowed by the VIRTIO 1.0 specification. In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification says: 1. The driver places the buffer into free descriptor(s) in the descriptor table, chaining as necessary and Note that the above code does not take precautions against the available ring buffer wrapping around: this is not possible since the ring buffer is the same size as the descriptor table, so step (1) will prevent such a condition. This implies that placing more buffers into the virtqueue than the descriptor table size is not allowed. QEMU is missing the check to prevent this case. Processing a request allocates a VirtQueueElement leading to unbounded memory allocation controlled by the guest. Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user. This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 Marvel Team, China. Reported-by: Zhenhao Hong Signed-off-by: Stefan Hajnoczi (cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66) Signed-off-by: Michael Roth --- hw/virtio/virtio.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 90f86cf..8ed260a 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) max = vq->vring.num; + if (vq->inuse >= vq->vring.num) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx);