File 0273-virtio-check-vring-descriptor-buffe.patch of Package qemu.3217

Overview Repositories Revisions Requests Users Attributes Meta

File 0273-virtio-check-vring-descriptor-buffe.patch of Package qemu.3217

From 33af86bba536016d8788b522c21fd62050959aa5 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 27 Jul 2016 21:07:56 +0530
Subject: [PATCH] virtio: check vring descriptor buffer length

virtio back end uses set of buffers to facilitate I/O operations.
An infinite loop unfolds in virtqueue_pop() if a buffer was
of zero size. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 1e7aed70144b4673fc26e73062064b6724795e5f)
[BR: CVE-2016-6490 BSC#991466]
Signed-off-by: Bruce Rogers <brogers@suse.com>

Conflicts:
	hw/virtio/virtio.c
---
 hw/virtio/virtio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index ed857e8..e0c99c3 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -506,6 +506,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
     do {
         struct iovec *sg;
 
+        if (vring_desc_len(vdev, desc_pa, i) == 0) {
+            error_report("virtio: zero sized buffers are not allowed");
+            exit(1);
+        }
+
         if (vring_desc_flags(vdev, desc_pa, i) & VRING_DESC_F_WRITE) {
             if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) {
                 error_report("Too many write descriptors in indirect table");

Places

File 0273-virtio-check-vring-descriptor-buffe.patch of Package qemu.3217

Places