From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Mon, 15 Sep 2014 16:40:06 +0000 (+0200)
Subject: ivshmem: validate incoming_posn value from server
X-Git-Tag: v2.1.3~72
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15905fde7bd40bc15173e77661981d462e6ca62b;p=thirdparty%2Fqemu.git

ivshmem: validate incoming_posn value from server

Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
[AF: Tighten upper bound check for posn in close_guest_eventfds()]
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

(cherry picked from commit 363ba1c72fed4425e7917afc36722584aaeaad8a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---

diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 2a05961f4b3..02e3dd9b2f7 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -385,6 +385,9 @@ static void close_guest_eventfds(IVShmemState *s, int posn)
     if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
         return;
     }
+    if (posn < 0 || posn >= s->nb_peers) {
+        return;
+    }
 
     guest_curr_max = s->peers[posn].nb_eventfds;
 
@@ -451,6 +454,11 @@ static void ivshmem_read(void *opaque, const uint8_t *buf, int size)
         }
     }
 
+    if (incoming_posn < -1) {
+        IVSHMEM_DPRINTF("invalid incoming_posn %ld\n", incoming_posn);
+        return;
+    }
+
     /* pick off s->server_chr->msgfd and store it, posn should accompany msg */
     tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
     IVSHMEM_DPRINTF("posn is %ld, fd is %d\n", incoming_posn, tmp_fd);