[libvirt] [PATCH] qemu: avoid denial of service reading from QEMU monitor (CVE-2018-xxxx)
Michal Privoznik
mprivozn at redhat.com
Wed Jan 17 16:13:06 UTC 2018
On 01/16/2018 06:01 PM, Daniel P. Berrange wrote:
> We read from QEMU until seeing a \r\n pair to indicate a completed reply
> or event. To avoid memory denial-of-service though, we must have a size
> limit on amount of data we buffer. 10 MB is large enough that it ought
> to cope with normal QEMU replies, and small enough that we're not
> consuming unreasonable mem.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> src/qemu/qemu_monitor.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
> index 046caf001c..85c7d68a13 100644
> --- a/src/qemu/qemu_monitor.c
> +++ b/src/qemu/qemu_monitor.c
> @@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
> #define DEBUG_IO 0
> #define DEBUG_RAW_IO 0
>
> +/* We read from QEMU until seeing a \r\n pair to indicate a
> + * completed reply or event. To avoid memory denial-of-service
> + * though, we must have a size limit on amount of data we
> + * buffer. 10 MB is large enough that it ought to cope with
> + * normal QEMU replies, and small enough that we're not
> + * consuming unreasonable mem.
> + */
> +#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
> +
> struct _qemuMonitor {
> virObjectLockable parent;
>
> @@ -575,6 +584,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
> int ret = 0;
>
> if (avail < 1024) {
> + if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
> + virReportSystemError(ERANGE,
> + _("No complete monitor response found in %d bytes"),
> + QEMU_MONITOR_MAX_RESPONSE);
> + return -1;
> + }
> if (VIR_REALLOC_N(mon->buffer,
> mon->bufferLength + 1024) < 0)
> return -1;
>
ACK, although is this really a CVE? Doesn't look that harmful to me. I
mean, owning qemu is not that easy, is it?
Michal
More information about the libvir-list
mailing list