[Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server

[Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server

[Stefan Hajnoczi]

ivshmem can talk to a server over a UNIX domain socket on the host.  We should
validate inputs from the server to prevent crashes or memory corruption.

Stefan Hajnoczi (2):
  ivshmem: check ivshmem_read() size argument
  ivshmem: validate incoming_posn value from server

 hw/misc/ivshmem.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

-- 
1.9.0

[Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument

[Stefan Hajnoczi]

The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field.  Fix this and
check we received enough bytes before accessing the buffer pointer.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/misc/ivshmem.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 8d144ba..78363ce 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -420,13 +420,18 @@ static void increase_dynamic_storage(IVShmemState *s, int new_min_size) {
     }
 }
 
-static void ivshmem_read(void *opaque, const uint8_t * buf, int flags)
+static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
 {
     IVShmemState *s = opaque;
     int incoming_fd, tmp_fd;
     int guest_max_eventfd;
     long incoming_posn;
 
+    if (size < sizeof(incoming_posn)) {
+        IVSHMEM_DPRINTF("short read of %d bytes\n", size);
+        return;
+    }
+
     memcpy(&incoming_posn, buf, sizeof(long));
     /* pick off s->server_chr->msgfd and store it, posn should accompany msg */
     tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
-- 
1.9.0

[Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server

[Stefan Hajnoczi]

Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/misc/ivshmem.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 78363ce..25c22b7 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -383,6 +383,9 @@ static void close_guest_eventfds(IVShmemState *s, int posn)
     if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
         return;
     }
+    if (posn < 0 || posn > s->nb_peers) {
+        return;
+    }
 
     guest_curr_max = s->peers[posn].nb_eventfds;
 
@@ -433,6 +436,12 @@ static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
     }
 
     memcpy(&incoming_posn, buf, sizeof(long));
+
+    if (incoming_posn < -1) {
+        IVSHMEM_DPRINTF("invalid incoming_posn %ld\n", incoming_posn);
+        return;
+    }
+
     /* pick off s->server_chr->msgfd and store it, posn should accompany msg */
     tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
     IVSHMEM_DPRINTF("posn is %ld, fd is %d\n", incoming_posn, tmp_fd);
-- 
1.9.0

Re: [Qemu-devel] [PATCH 0/2] ivshmem: validate incoming_posn value from server

[Andreas Färber]

Am 31.03.2014 09:08, schrieb Stefan Hajnoczi:
> ivshmem can talk to a server over a UNIX domain socket on the host.  We should
> validate inputs from the server to prevent crashes or memory corruption.
> 
> Stefan Hajnoczi (2):
>   ivshmem: check ivshmem_read() size argument
>   ivshmem: validate incoming_posn value from server
> 
>  hw/misc/ivshmem.c | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)

Ping for 2.0! Cam?

Looks sensible to me. Sebastian, can you give a formal Reviewed-by if
you're happy with the fixes?

Thanks,
Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg