[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid st
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load |
|
Date: |
Mon, 31 Mar 2014 16:04:38 +0100 |
On 31 March 2014 15:16, Michael S. Tsirkin <address@hidden> wrote:
> CVE-2013-4530
>
> pl022.c did not bounds check tx_fifo_head and
> rx_fifo_head after loading them from file and
> before they are used to dereference array.
>
> Reported-by: Michael S. Tsirkin <address@hidden
> Reported-by: Anthony Liguori <address@hidden>
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
> hw/ssi/pl022.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c
> index fd479ef..49b3f61 100644
> --- a/hw/ssi/pl022.c
> +++ b/hw/ssi/pl022.c
> @@ -240,11 +240,23 @@ static const MemoryRegionOps pl022_ops = {
> .endianness = DEVICE_NATIVE_ENDIAN,
> };
>
> +static int pl022_post_load(void *opaque, int version_id)
> +{
> + PL022State *s = opaque;
> +
> + if (s->tx_fifo_head > ARRAY_SIZE(s->tx_fifo) ||
> + s->rx_fifo_head > ARRAY_SIZE(s->rx_fifo)) {
> + return -1;
Shouldn't these be '>=' checks? Also if the
incoming values are negative then we'll go
wrong in the other direction.
Given the way we do calculations involving *_fifo_len
as well, it might be best to also sanitize those,
though I think it's not possible currently to provoke
a buffer overrun with them. (NB that the _fifo_len
fields can validly be equal to the ARRAY_SIZE, unlike
the _fifo_head fields.)
thanks
-- PMM
- [Qemu-devel] [PATCH v4 02/30] vmstate: add VMS_MUST_EXIST, (continued)
- [Qemu-devel] [PATCH v4 02/30] vmstate: add VMS_MUST_EXIST, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 03/30] vmstate: add VMSTATE_VALIDATE, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 05/30] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 07/30] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31
- Re: [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load,
Peter Maydell <=
- [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2), Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3), Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31