[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on in
|
From: |
Michael S. Tsirkin |
|
Subject: |
[Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2) |
|
Date: |
Mon, 31 Mar 2014 17:16:52 +0300 |
CVE-2013-4532
s->tx_fifo_len is read from the wire and later used as an index into
s->tx_fifo[] when a DATA command is issued by the guest. If
s->tx_fifo_len is greater than the length of s->tx_fifo[], or less
than 0, the buffer can be overrun/underrun by arbitrary data written out
by the guest upon resuming its execution.
Fix this by failing migration if the value from the wire would make
guest access the array out of bounds.
Reported-by: Michael Roth <address@hidden>
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/net/stellaris_enet.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 182fd3e..aed00fd 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -358,7 +358,7 @@ static void stellaris_enet_save(QEMUFile *f, void *opaque)
static int stellaris_enet_load(QEMUFile *f, void *opaque, int version_id)
{
stellaris_enet_state *s = (stellaris_enet_state *)opaque;
- int i, v;
+ int i, v, sz;
if (version_id != 1)
return -EINVAL;
@@ -374,7 +374,13 @@ static int stellaris_enet_load(QEMUFile *f, void *opaque,
int version_id)
s->mrxd = qemu_get_be32(f);
s->np = qemu_get_be32(f);
s->tx_frame_len = qemu_get_be32(f);
- s->tx_fifo_len = qemu_get_be32(f);
+ v = qemu_get_be32(f);
+ /* How many bytes does data use in tx fifo. */
+ sz = s->tx_frame_len == -1 ? 2 : 4;
+ if (v < 0 || v >= ARRAY_SIZE(s->tx_fifo) - sz) {
+ return -EINVAL;
+ }
+ s->tx_fifo_len = v;
qemu_get_buffer(f, s->tx_fifo, sizeof(s->tx_fifo));
for (i = 0; i < 31; i++) {
s->rx[i].len = qemu_get_be32(f);
--
MST
- [Qemu-devel] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, (continued)
- [Qemu-devel] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2),
Michael S. Tsirkin <=
- [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3), Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 18/30] virtio: validate num_sg when mapping, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 19/30] pxa2xx: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 21/30] ssd0323: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31