Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Jul 2016 20:30:01 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
cc: Stefan Hajnoczi <shajnocz@...hat.com>, sstabellini@...nel.org,
        zhenhaohong@...il.com
Subject: CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via
 guest leading to DoS

   Hello,

Quick emulator(Qemu) built with the virtio framework is vulnerable to an 
unbounded memory allocation issue. It was found that a malicious guest user 
could submit more requests than the virtqueue size permits, without waiting 
for their completion. This requires reusing vring descriptors in more than one 
request, which is incorrect but possible. Processing a request allocates a 
'VirtQueueElement' object and therefore causes unbounded memory allocation 
controlled by the guest.

A privileged guest user could use this flaw to potentially crash the guest 
resulting in DoS. Memory exhaustion would also affect other guests and 
services running on the host.

This issue was discovered by Zhenhao Hong of the 360 Marvel Team.

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1358359

Given below is a proposed patch to fix this issue:

===
virtio: error out if guest exceeds virtqueue size

A broken or malicious guest can submit more requests than the virtqueue
size permits.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is incorrect but
possible.  Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

Signed-off-by: Stefan Hajnoczi <stefanha@...hat.com>
---
  hw/virtio/virtio.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 18153d5..398c03f 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)

      max = vq->vring.num;

+    if (vq->inuse >= max) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
+
      i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
      if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
          vring_set_avail_event(vq, vq->last_avail_idx);
-- 
2.7.4
===


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.