From c8eac1cfa1e9104a658b4614ada758861b8d823a Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 20 Jun 2011 13:42:27 +0300 Subject: [PATCH] virtio: fix indirect descriptor buffer overflow We were previously allowing arbitrarily-long indirect descriptors, which could lead to a buffer overflow in qemu-kvm process. CVE-2011-2212 Signed-off-by: Michael S. Tsirkin --- hw/virtio.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/virtio.c b/hw/virtio.c index cc47a06a4e..a8f4940da2 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -449,9 +449,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) struct iovec *sg; if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { + if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) { + error_report("Too many write descriptors in indirect table"); + exit(1); + } elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); sg = &elem->in_sg[elem->in_num++]; } else { + if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) { + error_report("Too many read descriptors in indirect table"); + exit(1); + } elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); sg = &elem->out_sg[elem->out_num++]; }