[Qemu-devel] [PATCH V2 0/4] CVE-2013-4544

[Qemu-devel] [PATCH V2 0/4] CVE-2013-4544

[Dmitry Fleytman]

Changes since V1:

 * Comments added and extended as sugested by Dave and Michael

Dmitry Fleytman (4):
  vmxnet3: validate interrupt indices coming from guest
  vmxnet3: validate queues configuration coming from quest
  vmxnet3: validate interrupt indices read on migration
  vmxnet3: validate queues configuration read on migration

 hw/net/vmxnet3.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 55 insertions(+), 3 deletions(-)

-- 
1.8.5.3

[Qemu-devel] [PATCH V2 1/4] vmxnet3: validate interrupt indices coming from guest

[Dmitry Fleytman]

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/net/vmxnet3.c | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 5be807c..0b317f8 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -52,6 +52,9 @@
 #define VMXNET3_DEVICE_VERSION    0x1
 #define VMXNET3_DEVICE_REVISION   0x1
 
+/* Number of interrupt vectors for non-MSIx modes */
+#define VMXNET3_MAX_NMSIX_INTRS   (1)
+
 /* Macros for rings descriptors access */
 #define VMXNET3_READ_TX_QUEUE_DESCR8(dpa, field) \
     (vmw_shmem_ld8(dpa + offsetof(struct Vmxnet3_TxQueueDesc, field)))
@@ -1305,6 +1308,34 @@ static bool vmxnet3_verify_intx(VMXNET3State *s, int intx)
            (pci_get_byte(s->parent_obj.config + PCI_INTERRUPT_PIN) - 1));
 }
 
+static void vmxnet3_validate_interrupt_idx(bool is_msix, int idx)
+{
+    int max_ints = is_msix ? VMXNET3_MAX_INTRS : VMXNET3_MAX_NMSIX_INTRS;
+    if (idx >= max_ints) {
+        hw_error("Bad interrupt index: %d\n", idx);
+    }
+}
+
+static void vmxnet3_validate_interrupts(VMXNET3State *s)
+{
+    int i;
+
+    VMW_CFPRN("Verifying event interrupt index (%d)", s->event_int_idx);
+    vmxnet3_validate_interrupt_idx(s->msix_used, s->event_int_idx);
+
+    for (i = 0; i < s->txq_num; i++) {
+        int idx = s->txq_descr[i].intr_idx;
+        VMW_CFPRN("Verifying TX queue %d interrupt index (%d)", i, idx);
+        vmxnet3_validate_interrupt_idx(s->msix_used, idx);
+    }
+
+    for (i = 0; i < s->rxq_num; i++) {
+        int idx = s->rxq_descr[i].intr_idx;
+        VMW_CFPRN("Verifying RX queue %d interrupt index (%d)", i, idx);
+        vmxnet3_validate_interrupt_idx(s->msix_used, idx);
+    }
+}
+
 static void vmxnet3_activate_device(VMXNET3State *s)
 {
     int i;
@@ -1447,6 +1478,8 @@ static void vmxnet3_activate_device(VMXNET3State *s)
                sizeof(s->rxq_descr[i].rxq_stats));
     }
 
+    vmxnet3_validate_interrupts(s);
+
     /* Make sure everything is in place before device activation */
     smp_wmb();
 
@@ -2005,7 +2038,6 @@ vmxnet3_cleanup_msix(VMXNET3State *s)
     }
 }
 
-#define VMXNET3_MSI_NUM_VECTORS   (1)
 #define VMXNET3_MSI_OFFSET        (0x50)
 #define VMXNET3_USE_64BIT         (true)
 #define VMXNET3_PER_VECTOR_MASK   (false)
@@ -2016,7 +2048,7 @@ vmxnet3_init_msi(VMXNET3State *s)
     PCIDevice *d = PCI_DEVICE(s);
     int res;
 
-    res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MSI_NUM_VECTORS,
+    res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MAX_NMSIX_INTRS,
                    VMXNET3_USE_64BIT, VMXNET3_PER_VECTOR_MASK);
     if (0 > res) {
         VMW_WRPRN("Failed to initialize MSI, error %d", res);
-- 
1.8.5.3

[Qemu-devel] [PATCH V2 2/4] vmxnet3: validate queues configuration coming from quest

[Dmitry Fleytman]

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/net/vmxnet3.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 0b317f8..4fefc7b 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1336,6 +1336,23 @@ static void vmxnet3_validate_interrupts(VMXNET3State *s)
     }
 }
 
+static void vmxnet3_validate_queues(VMXNET3State *s)
+{
+    /*
+    * txq_num and rxq_num are total number of queues
+    * configured by guest. These numbers must not
+    * exceed corresponding maximal values.
+    */
+
+    if (s->txq_num > VMXNET3_DEVICE_MAX_TX_QUEUES) {
+        hw_error("Bad TX queues number: %d\n", s->txq_num);
+    }
+
+    if (s->rxq_num > VMXNET3_DEVICE_MAX_RX_QUEUES) {
+        hw_error("Bad RX queues number: %d\n", s->rxq_num);
+    }
+}
+
 static void vmxnet3_activate_device(VMXNET3State *s)
 {
     int i;
@@ -1382,7 +1399,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
         VMXNET3_READ_DRV_SHARED8(s->drv_shmem, devRead.misc.numRxQueues);
 
     VMW_CFPRN("Number of TX/RX queues %u/%u", s->txq_num, s->rxq_num);
-    assert(s->txq_num <= VMXNET3_DEVICE_MAX_TX_QUEUES);
+    vmxnet3_validate_queues(s);
 
     qdescr_table_pa =
         VMXNET3_READ_DRV_SHARED64(s->drv_shmem, devRead.misc.queueDescPA);
-- 
1.8.5.3

[Qemu-devel] [PATCH V2 3/4] vmxnet3: validate interrupt indices read on migration

[Dmitry Fleytman]

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/net/vmxnet3.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 4fefc7b..a0723c0 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -2391,6 +2391,8 @@ static int vmxnet3_post_load(void *opaque, int version_id)
         }
     }
 
+    vmxnet3_validate_interrupts(s);
+
     return 0;
 }
 
-- 
1.8.5.3

[Qemu-devel] [PATCH V2 4/4] vmxnet3: validate queues configuration read on migration

[Dmitry Fleytman]

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/net/vmxnet3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index a0723c0..ddcee4b 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -2391,6 +2391,7 @@ static int vmxnet3_post_load(void *opaque, int version_id)
         }
     }
 
+    vmxnet3_validate_queues(s);
     vmxnet3_validate_interrupts(s);
 
     return 0;
-- 
1.8.5.3

Re: [Qemu-devel] [PATCH V2 1/4] vmxnet3: validate interrupt indices coming from guest

[Dr. David Alan Gilbert]

* Dmitry Fleytman (dmitry@daynix.com) wrote:
> CVE-2013-4544
> 
> Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

> ---
>  hw/net/vmxnet3.c | 36 ++++++++++++++++++++++++++++++++++--
>  1 file changed, 34 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index 5be807c..0b317f8 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -52,6 +52,9 @@
>  #define VMXNET3_DEVICE_VERSION    0x1
>  #define VMXNET3_DEVICE_REVISION   0x1
>  
> +/* Number of interrupt vectors for non-MSIx modes */
> +#define VMXNET3_MAX_NMSIX_INTRS   (1)
> +
>  /* Macros for rings descriptors access */
>  #define VMXNET3_READ_TX_QUEUE_DESCR8(dpa, field) \
>      (vmw_shmem_ld8(dpa + offsetof(struct Vmxnet3_TxQueueDesc, field)))
> @@ -1305,6 +1308,34 @@ static bool vmxnet3_verify_intx(VMXNET3State *s, int intx)
>             (pci_get_byte(s->parent_obj.config + PCI_INTERRUPT_PIN) - 1));
>  }
>  
> +static void vmxnet3_validate_interrupt_idx(bool is_msix, int idx)
> +{
> +    int max_ints = is_msix ? VMXNET3_MAX_INTRS : VMXNET3_MAX_NMSIX_INTRS;
> +    if (idx >= max_ints) {
> +        hw_error("Bad interrupt index: %d\n", idx);
> +    }
> +}
> +
> +static void vmxnet3_validate_interrupts(VMXNET3State *s)
> +{
> +    int i;
> +
> +    VMW_CFPRN("Verifying event interrupt index (%d)", s->event_int_idx);
> +    vmxnet3_validate_interrupt_idx(s->msix_used, s->event_int_idx);
> +
> +    for (i = 0; i < s->txq_num; i++) {
> +        int idx = s->txq_descr[i].intr_idx;
> +        VMW_CFPRN("Verifying TX queue %d interrupt index (%d)", i, idx);
> +        vmxnet3_validate_interrupt_idx(s->msix_used, idx);
> +    }
> +
> +    for (i = 0; i < s->rxq_num; i++) {
> +        int idx = s->rxq_descr[i].intr_idx;
> +        VMW_CFPRN("Verifying RX queue %d interrupt index (%d)", i, idx);
> +        vmxnet3_validate_interrupt_idx(s->msix_used, idx);
> +    }
> +}
> +
>  static void vmxnet3_activate_device(VMXNET3State *s)
>  {
>      int i;
> @@ -1447,6 +1478,8 @@ static void vmxnet3_activate_device(VMXNET3State *s)
>                 sizeof(s->rxq_descr[i].rxq_stats));
>      }
>  
> +    vmxnet3_validate_interrupts(s);
> +
>      /* Make sure everything is in place before device activation */
>      smp_wmb();
>  
> @@ -2005,7 +2038,6 @@ vmxnet3_cleanup_msix(VMXNET3State *s)
>      }
>  }
>  
> -#define VMXNET3_MSI_NUM_VECTORS   (1)
>  #define VMXNET3_MSI_OFFSET        (0x50)
>  #define VMXNET3_USE_64BIT         (true)
>  #define VMXNET3_PER_VECTOR_MASK   (false)
> @@ -2016,7 +2048,7 @@ vmxnet3_init_msi(VMXNET3State *s)
>      PCIDevice *d = PCI_DEVICE(s);
>      int res;
>  
> -    res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MSI_NUM_VECTORS,
> +    res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MAX_NMSIX_INTRS,
>                     VMXNET3_USE_64BIT, VMXNET3_PER_VECTOR_MASK);
>      if (0 > res) {
>          VMW_WRPRN("Failed to initialize MSI, error %d", res);
> -- 
> 1.8.5.3
> 
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH V2 2/4] vmxnet3: validate queues configuration coming from quest

[Dr. David Alan Gilbert]

* Dmitry Fleytman (dmitry@daynix.com) wrote:
> CVE-2013-4544
> 
> Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

>  hw/net/vmxnet3.c | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index 0b317f8..4fefc7b 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -1336,6 +1336,23 @@ static void vmxnet3_validate_interrupts(VMXNET3State *s)
>      }
>  }
>  
> +static void vmxnet3_validate_queues(VMXNET3State *s)
> +{
> +    /*
> +    * txq_num and rxq_num are total number of queues
> +    * configured by guest. These numbers must not
> +    * exceed corresponding maximal values.
> +    */
> +
> +    if (s->txq_num > VMXNET3_DEVICE_MAX_TX_QUEUES) {
> +        hw_error("Bad TX queues number: %d\n", s->txq_num);
> +    }
> +
> +    if (s->rxq_num > VMXNET3_DEVICE_MAX_RX_QUEUES) {
> +        hw_error("Bad RX queues number: %d\n", s->rxq_num);
> +    }
> +}
> +
>  static void vmxnet3_activate_device(VMXNET3State *s)
>  {
>      int i;
> @@ -1382,7 +1399,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
>          VMXNET3_READ_DRV_SHARED8(s->drv_shmem, devRead.misc.numRxQueues);
>  
>      VMW_CFPRN("Number of TX/RX queues %u/%u", s->txq_num, s->rxq_num);
> -    assert(s->txq_num <= VMXNET3_DEVICE_MAX_TX_QUEUES);
> +    vmxnet3_validate_queues(s);
>  
>      qdescr_table_pa =
>          VMXNET3_READ_DRV_SHARED64(s->drv_shmem, devRead.misc.queueDescPA);
> -- 
> 1.8.5.3
> 
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH V2 3/4] vmxnet3: validate interrupt indices read on migration

[Dr. David Alan Gilbert]

* Dmitry Fleytman (dmitry@daynix.com) wrote:
> CVE-2013-4544
> 
> Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Dave

> ---
>  hw/net/vmxnet3.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index 4fefc7b..a0723c0 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -2391,6 +2391,8 @@ static int vmxnet3_post_load(void *opaque, int version_id)
>          }
>      }
>  
> +    vmxnet3_validate_interrupts(s);
> +
>      return 0;
>  }
>  
> -- 
> 1.8.5.3
> 
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH V2 4/4] vmxnet3: validate queues configuration read on migration

[Dr. David Alan Gilbert]

* Dmitry Fleytman (dmitry@daynix.com) wrote:
> CVE-2013-4544
> 
> Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

> ---
>  hw/net/vmxnet3.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index a0723c0..ddcee4b 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -2391,6 +2391,7 @@ static int vmxnet3_post_load(void *opaque, int version_id)
>          }
>      }
>  
> +    vmxnet3_validate_queues(s);
>      vmxnet3_validate_interrupts(s);
>  
>      return 0;
> -- 
> 1.8.5.3
> 
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH V2 0/4] CVE-2013-4544

[Dr. David Alan Gilbert]

* Dmitry Fleytman (dmitry@daynix.com) wrote:
> Changes since V1:
> 
>  * Comments added and extended as sugested by Dave and Michael
> 
> Dmitry Fleytman (4):
>   vmxnet3: validate interrupt indices coming from guest
>   vmxnet3: validate queues configuration coming from quest
>   vmxnet3: validate interrupt indices read on migration
>   vmxnet3: validate queues configuration read on migration

I've reviewed all of those as OK; if you ever get the chance
I think it would be nicer to try and avoid hw_error that causes an
abort, especially when that's guest (even in this case a broken one)
triggerable.

But, lets get the fix in.

Dave

--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK