diff options
Diffstat (limited to 'results/classifier/105/other/1913873')
| -rw-r--r-- | results/classifier/105/other/1913873 | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/results/classifier/105/other/1913873 b/results/classifier/105/other/1913873 new file mode 100644 index 00000000..c491759c --- /dev/null +++ b/results/classifier/105/other/1913873 @@ -0,0 +1,83 @@ +other: 0.836 +mistranslation: 0.810 +vnc: 0.788 +KVM: 0.779 +device: 0.765 +semantic: 0.755 +instruction: 0.754 +graphic: 0.749 +assembly: 0.719 +network: 0.620 +boot: 0.616 +socket: 0.541 + +QEMU: net: vmxnet: integer overflow may crash guest + +* Gaoning Pan from Zhejiang University & Ant Security Light-Year Lab reported a malloc failure + issue locates in vmxnet3_activate_device() of qemu/hw/net/vmxnet3.c NIC emulator + +* This issue is reproducible because while activating the NIC device, vmxnet3_activate_device + does not validate guest supplied configuration values against predefined min/max limits. + +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); <= Did not check if MTU is within range + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { <= Did not check TX ring size ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { <= Did not check TC ring size ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { <= Did not check RX ring size ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { <= Did not check RC ring size ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + +This may lead to potential integer overflow OR OOB buffer access issues. + +CVE-2021-20203 assigned by Red Hat Inc. + +Is this the same as https://bugs.launchpad.net/qemu/+bug/1890152 ? + +Yes, from the trace looks same. + + +This is an automated cleanup. This bug report has been moved to QEMU's +new bug tracker on gitlab.com and thus gets marked as 'expired' now. +Please continue with the discussion here: + + https://gitlab.com/qemu-project/qemu/-/issues/308 + + |