* [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server
@ 2014-03-31 7:08 Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument Stefan Hajnoczi
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2014-03-31 7:08 UTC (permalink / raw)
To: qemu-devel; +Cc: Cam Macdonell, Stefan Hajnoczi
ivshmem can talk to a server over a UNIX domain socket on the host. We should
validate inputs from the server to prevent crashes or memory corruption.
Stefan Hajnoczi (2):
ivshmem: check ivshmem_read() size argument
ivshmem: validate incoming_posn value from server
hw/misc/ivshmem.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--
1.9.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument
2014-03-31 7:08 [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
@ 2014-03-31 7:08 ` Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
2014-04-11 15:32 ` [Qemu-devel] [PATCH 0/2] " Andreas Färber
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2014-03-31 7:08 UTC (permalink / raw)
To: qemu-devel; +Cc: Cam Macdonell, Stefan Hajnoczi
The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field. Fix this and
check we received enough bytes before accessing the buffer pointer.
Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/misc/ivshmem.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 8d144ba..78363ce 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -420,13 +420,18 @@ static void increase_dynamic_storage(IVShmemState *s, int new_min_size) {
}
}
-static void ivshmem_read(void *opaque, const uint8_t * buf, int flags)
+static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
{
IVShmemState *s = opaque;
int incoming_fd, tmp_fd;
int guest_max_eventfd;
long incoming_posn;
+ if (size < sizeof(incoming_posn)) {
+ IVSHMEM_DPRINTF("short read of %d bytes\n", size);
+ return;
+ }
+
memcpy(&incoming_posn, buf, sizeof(long));
/* pick off s->server_chr->msgfd and store it, posn should accompany msg */
tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
--
1.9.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server
2014-03-31 7:08 [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument Stefan Hajnoczi
@ 2014-03-31 7:08 ` Stefan Hajnoczi
2014-04-11 15:32 ` [Qemu-devel] [PATCH 0/2] " Andreas Färber
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2014-03-31 7:08 UTC (permalink / raw)
To: qemu-devel; +Cc: Cam Macdonell, Stefan Hajnoczi
Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.
Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/misc/ivshmem.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 78363ce..25c22b7 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -383,6 +383,9 @@ static void close_guest_eventfds(IVShmemState *s, int posn)
if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
return;
}
+ if (posn < 0 || posn > s->nb_peers) {
+ return;
+ }
guest_curr_max = s->peers[posn].nb_eventfds;
@@ -433,6 +436,12 @@ static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
}
memcpy(&incoming_posn, buf, sizeof(long));
+
+ if (incoming_posn < -1) {
+ IVSHMEM_DPRINTF("invalid incoming_posn %ld\n", incoming_posn);
+ return;
+ }
+
/* pick off s->server_chr->msgfd and store it, posn should accompany msg */
tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
IVSHMEM_DPRINTF("posn is %ld, fd is %d\n", incoming_posn, tmp_fd);
--
1.9.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server
2014-03-31 7:08 [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
@ 2014-04-11 15:32 ` Andreas Färber
2 siblings, 0 replies; 4+ messages in thread
From: Andreas Färber @ 2014-04-11 15:32 UTC (permalink / raw)
To: qemu-devel, Cam Macdonell, Sebastian Krahmer
Cc: Peter Maydell, Stefan Hajnoczi
Am 31.03.2014 09:08, schrieb Stefan Hajnoczi:
> ivshmem can talk to a server over a UNIX domain socket on the host. We should
> validate inputs from the server to prevent crashes or memory corruption.
>
> Stefan Hajnoczi (2):
> ivshmem: check ivshmem_read() size argument
> ivshmem: validate incoming_posn value from server
>
> hw/misc/ivshmem.c | 16 +++++++++++++++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
Ping for 2.0! Cam?
Looks sensible to me. Sebastian, can you give a formal Reviewed-by if
you're happy with the fixes?
Thanks,
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-11 15:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-31 7:08 [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument Stefan Hajnoczi
2014-03-31 7:08 ` [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server Stefan Hajnoczi
2014-04-11 15:32 ` [Qemu-devel] [PATCH 0/2] " Andreas Färber
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.