qemu-stable
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-stable] [Qemu-devel] [PATCH 06/23] hpet: fix buffer overrun on

From: Peter Maydell
Subject: Re: [Qemu-stable] [Qemu-devel] [PATCH 06/23] hpet: fix buffer overrun on invalid state load
Date: Tue, 3 Dec 2013 18:39:15 +0000 
On 3 December 2013 16:28, Michael S. Tsirkin <address@hidden> wrote:
> CVE-2013-4527 hw/timer/hpet.c buffer overrun
>
> hpet is a VARRAY with a uint8 size but static array of 32
>
> To fix, make sure num_timers is valid using post_load hook.
>
> Reported-by: Anthony Liguori <address@hidden>
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
>  hw/timer/hpet.c | 18 +++++++++++++-----
>  1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
> index 2eb75ea..acdc874 100644
> --- a/hw/timer/hpet.c
> +++ b/hw/timer/hpet.c
> @@ -211,6 +211,15 @@ static void update_irq(struct HPETTimer *timer, int set)
>      }
>  }
>
> +static void hpet_fix_num_timers(HPETState *s)
> +{
> +    if (s->num_timers < HPET_MIN_TIMERS) {
> +        s->num_timers = HPET_MIN_TIMERS;
> +    } else if (s->num_timers > HPET_MAX_TIMERS) {
> +        s->num_timers = HPET_MAX_TIMERS;
> +    }
> +}
> +
>  static void hpet_pre_save(void *opaque)
>  {
>      HPETState *s = opaque;
> @@ -232,6 +241,8 @@ static int hpet_post_load(void *opaque, int version_id)
>  {
>      HPETState *s = opaque;
>
> +    hpet_fix_num_timers(s);

Haven't we already overrun the buffer at this point?

thanks
-- PMM
reply via email to
[Prev in Thread] Current Thread [Next in Thread]