Mageia Bugzilla – Attachment 639 Details for
Bug 1423
qemu-kvm security update
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
Patch for CVE-2011-2212
kvm-virtio-prevent-indirect-descriptor-buffer-overflow.patch (text/plain), 1.66 KB, created by
Nicolas Vigier
on 2011-07-07 20:23:37 CEST
(
hide
)
Description:
Patch for CVE-2011-2212
Filename:
MIME Type:
Creator:
Nicolas Vigier
Created:
2011-07-07 20:23:37 CEST
Size:
1.66 KB
patch
obsolete
>From 2e35b0c8f64c804e7b9f6ef787143fc30e18b3e3 Mon Sep 17 00:00:00 2001 >From: "Michael S. Tsirkin" <mst@redhat.com> >Date: Mon, 20 Jun 2011 14:32:19 +0300 >Subject: [PATCH 2/2] virtio: prevent indirect descriptor buffer overflow > >We were previously allowing arbitrarily-long indirect descriptors, which >could overflow the in_sg/out_sg arrays. > >Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=713593 > https://bugzilla.redhat.com/show_bug.cgi?id=713592 >Upstream: EMBARGOED CVE-2011-2212 >Tested: lightly tested on my box with virtio net and block >Brew: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=3412552 > >Signed-off-by: Michael S. Tsirkin <mst@redhat.com> >--- > hw/virtio.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > >diff --git a/hw/virtio.c b/hw/virtio.c >index d5013b6..3fe1eef 100644 >--- a/hw/virtio.c >+++ b/hw/virtio.c >@@ -412,9 +412,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) > struct iovec *sg; > > if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { >+ if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) { >+ fprintf(stderr, "Too many write descriptors in indirect table"); >+ exit(1); >+ } > elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); > sg = &elem->in_sg[elem->in_num++]; > } else { >+ if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) { >+ fprintf(stderr, "Too many read descriptors in indirect table"); >+ exit(1); >+ } > elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); > sg = &elem->out_sg[elem->out_num++]; > } >-- >1.7.6.rc2.11.g13b7 >
From 2e35b0c8f64c804e7b9f6ef787143fc30e18b3e3 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" <mst@redhat.com> Date: Mon, 20 Jun 2011 14:32:19 +0300 Subject: [PATCH 2/2] virtio: prevent indirect descriptor buffer overflow We were previously allowing arbitrarily-long indirect descriptors, which could overflow the in_sg/out_sg arrays. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=713593 https://bugzilla.redhat.com/show_bug.cgi?id=713592 Upstream: EMBARGOED CVE-2011-2212 Tested: lightly tested on my box with virtio net and block Brew: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=3412552 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- hw/virtio.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/hw/virtio.c b/hw/virtio.c index d5013b6..3fe1eef 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -412,9 +412,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) struct iovec *sg; if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { + if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) { + fprintf(stderr, "Too many write descriptors in indirect table"); + exit(1); + } elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); sg = &elem->in_sg[elem->in_num++]; } else { + if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) { + fprintf(stderr, "Too many read descriptors in indirect table"); + exit(1); + } elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); sg = &elem->out_sg[elem->out_num++]; } -- 1.7.6.rc2.11.g13b7
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1423
: 639