[Secure-testing-team] Bug#632987: CVE-2011-2212 virtqueue indirect overflow
Michael Tokarev
mjt at tls.msk.ru
Thu Jul 7 17:38:57 UTC 2011
Package: qemu-kvm
Version: 0.14.1+dfsg-2, 0.12.5+dfsg-5+squeeze4
Severity: serious
Tags: patch security squeeze upstream sid
qemu-kvm in squeeze and sid has an issue described in CVE-2011-2212.
Due to a programming error, it is possible for a rogue guest to
access and overwrite host process memory.
The attached patch fixes immediate problem, but the code in question
needs a good audit for out of bound accesses, overflows and
signed/unsigned integer issues.
/mjt
------
From: Nelson Elhage <nelhage at ksplice.com>
Date: Thu, 19 May 2011 13:23:17 -0400
Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors.
We were previously allowing arbitrarily-long descriptors, which could lead to a
buffer overflow in the qemu-kvm process.
--- qemu-kvm-0.14.0.orig/hw/virtio.c
+++ qemu-kvm-0.14.0/hw/virtio.c
@@ -336,6 +336,11 @@
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
num_bufs = i = 0;
desc_pa = vring_desc_addr(desc_pa, i);
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
do {
@@ -406,6 +411,11 @@
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
desc_pa = vring_desc_addr(desc_pa, i);
i = 0;
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
/* Collect all the descriptors */
More information about the Secure-testing-team
mailing list