[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 05/23] ahci: fix buffer overrun on invalid state lo
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-stable] [PATCH 05/23] ahci: fix buffer overrun on invalid state load |
Date: |
Tue, 3 Dec 2013 18:28:35 +0200 |
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/ide/ahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index fbea9e8..e321274 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};
--
MST
- [Qemu-stable] [PATCH 00/23] qemu state loading issues, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 01/23] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 02/23] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 03/23] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 05/23] ahci: fix buffer overrun on invalid state load,
Michael S. Tsirkin <=
- [Qemu-stable] [PATCH 06/23] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 07/23] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2013/12/03
[Qemu-stable] [PATCH 09/23] target-arm/machine.c: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2013/12/03