diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch deleted file mode 100644 index fe084f5b08..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Hajnoczi <stefanha@redhat.com> | ||
3 | Date: Tue, 19 Jul 2016 13:07:13 +0100 | ||
4 | Subject: [PATCH] virtio: error out if guest exceeds virtqueue size | ||
5 | |||
6 | A broken or malicious guest can submit more requests than the virtqueue | ||
7 | size permits, causing unbounded memory allocation in QEMU. | ||
8 | |||
9 | The guest can submit requests without bothering to wait for completion | ||
10 | and is therefore not bound by virtqueue size. This requires reusing | ||
11 | vring descriptors in more than one request, which is not allowed by the | ||
12 | VIRTIO 1.0 specification. | ||
13 | |||
14 | In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification | ||
15 | says: | ||
16 | |||
17 | 1. The driver places the buffer into free descriptor(s) in the | ||
18 | descriptor table, chaining as necessary | ||
19 | |||
20 | and | ||
21 | |||
22 | Note that the above code does not take precautions against the | ||
23 | available ring buffer wrapping around: this is not possible since the | ||
24 | ring buffer is the same size as the descriptor table, so step (1) will | ||
25 | prevent such a condition. | ||
26 | |||
27 | This implies that placing more buffers into the virtqueue than the | ||
28 | descriptor table size is not allowed. | ||
29 | |||
30 | QEMU is missing the check to prevent this case. Processing a request | ||
31 | allocates a VirtQueueElement leading to unbounded memory allocation | ||
32 | controlled by the guest. | ||
33 | |||
34 | Exit with an error if the guest provides more requests than the | ||
35 | virtqueue size permits. This bounds memory allocation and makes the | ||
36 | buggy guest visible to the user. | ||
37 | |||
38 | This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 | ||
39 | Marvel Team, China. | ||
40 | |||
41 | Reported-by: Zhenhao Hong <hongzhenhao@360.cn> | ||
42 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
43 | |||
44 | Upstream-Status: Backport | ||
45 | CVE: CVE-2106-5403 | ||
46 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
47 | |||
48 | --- | ||
49 | hw/virtio/virtio.c | 5 +++++ | ||
50 | 1 file changed, 5 insertions(+) | ||
51 | |||
52 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
53 | =================================================================== | ||
54 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
55 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
56 | @@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue | ||
57 | |||
58 | max = vq->vring.num; | ||
59 | |||
60 | + if (vq->inuse >= vq->vring.num) { | ||
61 | + error_report("Virtqueue size exceeded"); | ||
62 | + exit(1); | ||
63 | + } | ||
64 | + | ||
65 | i = head = virtqueue_get_head(vq, vq->last_avail_idx++); | ||
66 | if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { | ||
67 | vring_set_avail_event(vq, vq->last_avail_idx); | ||