Secure testing team - Jul 2011 - Bug#632987: CVE-2011-2212 virtqueue indirect overflow

Package: qemu-kvm
Version: 0.14.1+dfsg-2, 0.12.5+dfsg-5+squeeze4
Severity: serious
Tags: patch security squeeze upstream sid

qemu-kvm in squeeze and sid has an issue described in CVE-2011-2212.
Due to a programming error, it is possible for a rogue guest to
access and overwrite host process memory.

The attached patch fixes immediate problem, but the code in question
needs a good audit for out of bound accesses, overflows and
signed/unsigned integer issues.

/mjt

------
From: Nelson Elhage <nelhage at ksplice.com>
Date: Thu, 19 May 2011 13:23:17 -0400
Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors.

We were previously allowing arbitrarily-long descriptors, which could lead to a
buffer overflow in the qemu-kvm process.

--- qemu-kvm-0.14.0.orig/hw/virtio.c
+++ qemu-kvm-0.14.0/hw/virtio.c
@@ -336,6 +336,11 @@
             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
             num_bufs = i = 0;
             desc_pa = vring_desc_addr(desc_pa, i);
+
+            if (max > VIRTQUEUE_MAX_SIZE) {
+                error_report("Too-large indirect descriptor");
+                exit(1);
+            }
         }
 
         do {
@@ -406,6 +411,11 @@
         max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
         desc_pa = vring_desc_addr(desc_pa, i);
         i = 0;
+
+        if (max > VIRTQUEUE_MAX_SIZE) {
+            error_report("Too-large indirect descriptor");
+            exit(1);
+        }
     }
 
     /* Collect all the descriptors */