QEMU: net: vmxnet: integer overflow may crash guest
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
* Gaoning Pan from Zhejiang University & Ant Security Light-Year Lab reported a malloc failure
issue locates in vmxnet3_
* This issue is reproducible because while activating the NIC device, vmxnet3_
does not validate guest supplied configuration values against predefined min/max limits.
@@ -1420,6 +1420,7 @@ static void vmxnet3_
vmxnet3_
/* Cache fields from shared memory */
s->mtu = VMXNET3_
+ assert(
VMW_CFPRN("MTU is %u", s->mtu);
s-
@@ -1473,6 +1474,9 @@ static void vmxnet3_
/* Read rings memory locations for TX queues */
pa = VMXNET3_
size = VMXNET3_
+ if (size > VMXNET3_
+ size = VMXNET3_
+ }
@@ -1483,6 +1487,9 @@ static void vmxnet3_
/* TXC ring */
pa = VMXNET3_
size = VMXNET3_
+ if (size > VMXNET3_
+ size = VMXNET3_
+ }
@@ -1524,6 +1531,9 @@ static void vmxnet3_
/* RX rings */
pa = VMXNET3_
size = VMXNET3_
+ if (size > VMXNET3_
+ size = VMXNET3_
+ }
@@ -1533,6 +1543,9 @@ static void vmxnet3_
/* RXC ring */
pa = VMXNET3_
size = VMXNET3_
+ if (size > VMXNET3_
+ size = VMXNET3_
+ }
This may lead to potential integer overflow OR OOB buffer access issues.
CVE References
information type: | Private Security → Public Security |
CVE-2021-20203 assigned by Red Hat Inc.