QEMU: net: vmxnet: integer overflow may crash guest

Bug #1913873 reported by P J P on 2021-01-30
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned

Bug Description

* Gaoning Pan from Zhejiang University & Ant Security Light-Year Lab reported a malloc failure
  issue locates in vmxnet3_activate_device() of qemu/hw/net/vmxnet3.c NIC emulator

* This issue is reproducible because while activating the NIC device, vmxnet3_activate_device
  does not validate guest supplied configuration values against predefined min/max limits.

@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
     vmxnet3_setup_rx_filtering(s);
     /* Cache fields from shared memory */
     s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); <= Did not check if MTU is within range
     VMW_CFPRN("MTU is %u", s->mtu);

     s->max_rx_frags =
@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
         /* Read rings memory locations for TX queues */
         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
+ if (size > VMXNET3_TX_RING_MAX_SIZE) { <= Did not check TX ring size
+ size = VMXNET3_TX_RING_MAX_SIZE;
+ }

         vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
                           sizeof(struct Vmxnet3_TxDesc), false);
@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
         /* TXC ring */
         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
+ if (size > VMXNET3_TC_RING_MAX_SIZE) { <= Did not check TC ring size
+ size = VMXNET3_TC_RING_MAX_SIZE;
+ }
         vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
                           sizeof(struct Vmxnet3_TxCompDesc), true);
         VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
             /* RX rings */
             pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
             size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
+ if (size > VMXNET3_RX_RING_MAX_SIZE) { <= Did not check RX ring size
+ size = VMXNET3_RX_RING_MAX_SIZE;
+ }
             vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
                               sizeof(struct Vmxnet3_RxDesc), false);
             VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
         /* RXC ring */
         pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
         size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
+ if (size > VMXNET3_RC_RING_MAX_SIZE) { <= Did not check RC ring size
+ size = VMXNET3_RC_RING_MAX_SIZE;
+ }

This may lead to potential integer overflow OR OOB buffer access issues.

CVE References

P J P (pjps) wrote :

CVE-2021-20203 assigned by Red Hat Inc.

P J P (pjps) on 2021-01-30
information type: Private Security → Public Security
P J P (pjps) wrote :

Yes, from the trace looks same.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers