From 143ed011d03f23304149158b72b1fdc23b6fc7e0 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Mon, 25 Jul 2016 16:22:26 +0200 Subject: [PATCH 11/16] virtio: error out if guest exceeds virtqueue size RH-Author: Stefan Hajnoczi Message-id: <1469463746-2412-2-git-send-email-stefanha@redhat.com> Patchwork-id: 71432 O-Subject: [virt-devel] [RHEL-7.3 EMBARGOED qemu-kvm-rhev PATCH 1/1] virtio: error out if guest exceeds virtqueue size Bugzilla: 1359733 RH-Acked-by: Thomas Huth RH-Acked-by: Xiao Wang RH-Acked-by: Laszlo Ersek A broken or malicious guest can submit more requests than the virtqueue size permits. The guest can submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user. This patch fixes CVE-2016-5403. Signed-off-by: Stefan Hajnoczi Signed-off-by: Miroslav Rezanina --- hw/virtio/virtio.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 30ede3d..d5933d1 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) max = vq->vring.num; + if (vq->inuse >= max) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx); -- 1.8.3.1