[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming mi
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration |
Date: |
Tue, 8 Jul 2014 12:17:19 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <address@hidden>
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Don Koch <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
Signed-off-by: Michael Roth <address@hidden>
---
hw/arm/pxa2xx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index 02b7016..daec57d 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -742,7 +742,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque)
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
{
PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
- int i;
+ int i, v;
s->enable = qemu_get_be32(f);
@@ -756,7 +756,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int
version_id)
qemu_get_8s(f, &s->ssrsa);
qemu_get_8s(f, &s->ssacd);
- s->rx_level = qemu_get_byte(f);
+ v = qemu_get_byte(f);
+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+ return -EINVAL;
+ }
+ s->rx_level = v;
s->rx_start = 0;
for (i = 0; i < s->rx_level; i ++)
s->rx_fifo[i] = qemu_get_byte(f);
--
1.9.1
- [Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), (continued)
- [Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 146/156] virtio-net: byteswap virtio-net header, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 012/156] mirror: fix throttling delay calculation, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 116/156] qcow1: Make padding in the header explicit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 068/156] migration: catch unknown flags in ram_load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration,
Michael Roth <=
- [Qemu-devel] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 058/156] stellaris_enet: block migration, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 102/156] dmg: coding style and indentation cleanup, Michael Roth, 2014/07/10