diff options
Diffstat (limited to 'results/classifier/118/permissions/1913873')
| -rw-r--r-- | results/classifier/118/permissions/1913873 | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/results/classifier/118/permissions/1913873 b/results/classifier/118/permissions/1913873 new file mode 100644 index 000000000..72c8aa040 --- /dev/null +++ b/results/classifier/118/permissions/1913873 @@ -0,0 +1,100 @@ +permissions: 0.817 +peripherals: 0.814 +mistranslation: 0.810 +VMM: 0.801 +register: 0.797 +TCG: 0.795 +vnc: 0.788 +hypervisor: 0.782 +KVM: 0.779 +virtual: 0.768 +device: 0.765 +user-level: 0.760 +semantic: 0.755 +arm: 0.752 +graphic: 0.749 +performance: 0.748 +architecture: 0.743 +debug: 0.739 +ppc: 0.739 +x86: 0.739 +assembly: 0.719 +PID: 0.714 +risc-v: 0.707 +kernel: 0.665 +i386: 0.655 +network: 0.620 +boot: 0.616 +files: 0.579 +socket: 0.541 + +QEMU: net: vmxnet: integer overflow may crash guest + +* Gaoning Pan from Zhejiang University & Ant Security Light-Year Lab reported a malloc failure + issue locates in vmxnet3_activate_device() of qemu/hw/net/vmxnet3.c NIC emulator + +* This issue is reproducible because while activating the NIC device, vmxnet3_activate_device + does not validate guest supplied configuration values against predefined min/max limits. + +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); <= Did not check if MTU is within range + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { <= Did not check TX ring size ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { <= Did not check TC ring size ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { <= Did not check RX ring size ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { <= Did not check RC ring size ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + +This may lead to potential integer overflow OR OOB buffer access issues. + +CVE-2021-20203 assigned by Red Hat Inc. + +Is this the same as https://bugs.launchpad.net/qemu/+bug/1890152 ? + +Yes, from the trace looks same. + + +This is an automated cleanup. This bug report has been moved to QEMU's +new bug tracker on gitlab.com and thus gets marked as 'expired' now. +Please continue with the discussion here: + + https://gitlab.com/qemu-project/qemu/-/issues/308 + + |