xemu/hw
Stefan Hajnoczi afd9096eb1 virtio: error out if guest exceeds virtqueue size
A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.

In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:

  1. The driver places the buffer into free descriptor(s) in the
     descriptor table, chaining as necessary

and

  Note that the above code does not take precautions against the
  available ring buffer wrapping around: this is not possible since the
  ring buffer is the same size as the descriptor table, so step (1) will
  prevent such a condition.

This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.

QEMU is missing the check to prevent this case.  Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.

Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-07-27 14:04:40 +01:00
..
9pfs 9pfs: Wrap in vmstate 2016-07-21 20:44:20 +03:00
acpi opts-visitor: Favor new visit_free() function 2016-07-06 10:52:04 +02:00
alpha hw/alpha: fix PCI bus initialization 2016-07-20 19:30:26 +03:00
arm qapi: Change Netdev into a flat union 2016-07-19 20:18:02 +02:00
audio Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
block pc, pci, virtio: new features, cleanups, fixes 2016-07-21 20:12:37 +01:00
bt hw/bt: Don't use cpu_to_*w() and *_to_cpup() 2016-07-12 15:08:53 +01:00
char virtio-serial: Wrap in vmstate 2016-07-21 20:44:20 +03:00
core qapi: Change Netdev into a flat union 2016-07-19 20:18:02 +02:00
cpu cpu: Abstract CPU core type 2016-06-17 16:33:48 +10:00
cris cris: Fix broken header guard in hw/cris/boot.h 2016-07-12 16:20:46 +02:00
display pc, pci, virtio: new features, cleanups, fixes 2016-07-21 20:12:37 +01:00
dma dma: Add Xilinx Zynq devcfg device model 2016-07-04 13:15:22 +01:00
gpio hw/gpio: QOM'ify zaurus.c 2016-06-14 15:59:13 +01:00
i2c ICH9 SMB: make TYPE_ICH9_SMB_DEVICE macro public 2016-06-29 14:03:46 +02:00
i386 pc, pci, virtio: new features, cleanups, fixes 2016-07-21 20:12:37 +01:00
ide block: Convert BB interface to byte-based discards 2016-07-20 14:11:55 +01:00
input virtio-input: Wrap in vmstate 2016-07-21 20:44:20 +03:00
intc pc, pci, virtio: new features, cleanups, fixes 2016-07-21 20:12:37 +01:00
ipack ipack: Update e-mail address 2016-05-18 15:04:27 +03:00
ipmi hw/ipmi: fix spelling 2016-06-07 18:02:48 +03:00
isa ich9: implement SCI_IRQ_SEL register 2016-06-29 14:03:48 +02:00
lm32 Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
m68k hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
mem nvdimm: fix memory leak in error code path 2016-07-20 19:30:26 +03:00
microblaze Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
mips hw/mips: fix PCI bus initialization 2016-07-20 19:30:26 +03:00
misc kvm-irqchip: do explicit commit when update irq 2016-07-21 20:44:19 +03:00
moxie hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
net pc, pci, virtio: new features, cleanups, fixes 2016-07-21 20:12:37 +01:00
nvram spapr: fix spapr-nvram migration 2016-07-25 10:19:30 +10:00
openrisc hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
pci kvm-irqchip: x86: add msi route notify fn 2016-07-21 20:44:19 +03:00
pci-bridge Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
pci-host hw/versatile: realize the PCI root bus as part of the versatile init 2016-07-20 19:30:27 +03:00
pcmcia hw: Clean up includes 2016-01-29 15:07:25 +00:00
ppc spapr: disintricate core-id from DT semantics 2016-07-25 15:43:41 +10:00
s390x s390x/css: provide a dev_path for css devices 2016-07-20 15:47:25 +02:00
scsi pc, pci, virtio: new features, cleanups, fixes 2016-07-21 20:12:37 +01:00
sd ssi: change ssi_slave_init to be a realize ops 2016-07-04 13:15:22 +01:00
sh4 Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
smbios ipmi: Add SMBIOS table entry 2016-06-24 05:13:57 +03:00
sparc trace: split out trace events for hw/sparc/ directory 2016-06-20 17:22:16 +01:00
sparc64 util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
ssi ast2400: pretend DMAs are done for U-boot 2016-07-14 16:51:38 +01:00
timer MIPS patches 2016-07-12 2016-07-12 12:34:41 +01:00
tpm Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
tricore hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
unicore32 hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
usb usb: xhci assert fix, add usbredir streams property 2016-07-20 20:31:31 +01:00
vfio kvm-irqchip: do explicit commit when update irq 2016-07-21 20:44:19 +03:00
virtio virtio: error out if guest exceeds virtqueue size 2016-07-27 14:04:40 +01:00
watchdog nmi: remove x86 specific nmi handling 2016-05-23 16:53:46 +02:00
xen Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
xenpv Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
xtensa target-xtensa: xtfpga: fix FLASH interface width 2016-07-14 13:59:44 +03:00
Makefile.objs Add a base IPMI interface 2015-12-22 18:39:19 +02:00