Hello community, here is the log from the commit of package kvm for openSUSE:Factory checked in at Mon Jul 11 12:35:16 CEST 2011. -------- --- kvm/kvm.changes 2011-07-06 21:22:00.000000000 +0200 +++ /mounts/work_src_done/STABLE/kvm/kvm.changes 2011-07-08 19:01:00.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Jul 8 16:44:55 UTC 2011 - brogers@novell.com + +- validate virtqueue indirect descriptor against max size + (bnc#701161) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- kvm-qemu-preXX-validate-virtqueue.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kvm.spec ++++++ --- /var/tmp/diff_new_pack.77Po6v/_old 2011-07-11 12:34:20.000000000 +0200 +++ /var/tmp/diff_new_pack.77Po6v/_new 2011-07-11 12:34:20.000000000 +0200 @@ -89,7 +89,7 @@ Summary: Kernel-based Virtual Machine Url: http://kvm.qumranet.com/ Version: %{package_base_version}%{package_extra_version} -Release: 7 +Release: 9 Source0: qemu-%{name}-%{package_base_version}.tar.bz2 Source1: 60-kvm.rules Source2: qemu-ifup @@ -181,6 +181,7 @@ Patch134: kvm-qemu-preXX-severe-memory-leak-caused-by-broken-palett.patch Patch135: kvm-qemu-no-hot-unplug-for-certain-devices.patch Patch136: kvm-qemu-preXX-virtio-guard-against-negative-vq-notifies.patch +Patch137: kvm-qemu-preXX-validate-virtqueue.patch Patch200: qemu-img-vmdk-scsi.patch Patch201: kvm-studio-slirp-nooutgoing.patch @@ -337,6 +338,7 @@ %patch134 -p1 %patch135 -p1 %patch136 -p1 +%patch137 -p1 # Studio addons %patch200 -p1 ++++++ kvm-qemu-preXX-validate-virtqueue.patch ++++++ EMBARGOED CVE-2011-2212 qemu-kvm: virtqueue: too-large indirect descriptor buffer overflow It was found that virtio subsystem in qemu-kvm did not properly validate virtqueue in and out requests from the guest. A privileged guest user could use this flaw to cause buffer overflow, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. -- virtqueue_pop (and less importantly, virtqueue_avail_bytes) do not limit the size of an indirect descriptor entry, which allows a guest to specify an arbitrarily-long descriptor chain, which will overflow the fixed-size arrays in VirtQueueElement, leading to memory corruption.
From 8e16077bfcd2d06a98aec8348cc171402ed75b51 Mon Sep 17 00:00:00 2001 From: Nelson Elhage
Date: Thu, 19 May 2011 13:23:17 -0400 Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors.
We were previously allowing arbitrarily-long descriptors, which could lead to a buffer overflow in the qemu-kvm process. --- hw/virtio.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/hw/virtio.c b/hw/virtio.c index 6e8814c..4935282 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -335,6 +335,11 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } do { @@ -405,6 +410,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } /* Collect all the descriptors */ -- 1.7.4.44.gf9e72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org