[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 050/156] ssd0323: fix buffer overun on invalid stat
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load |
Date: |
Tue, 8 Jul 2014 12:17:21 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
Signed-off-by: Michael Roth <address@hidden>
---
hw/display/ssd0323.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
index c3231c6..773414c 100644
--- a/hw/display/ssd0323.c
+++ b/hw/display/ssd0323.c
@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int
version_id)
return -EINVAL;
s->cmd_len = qemu_get_be32(f);
+ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) {
+ return -EINVAL;
+ }
s->cmd = qemu_get_be32(f);
for (i = 0; i < 8; i++)
s->cmd_data[i] = qemu_get_be32(f);
s->row = qemu_get_be32(f);
+ if (s->row < 0 || s->row >= 80) {
+ return -EINVAL;
+ }
s->row_start = qemu_get_be32(f);
+ if (s->row_start < 0 || s->row_start >= 80) {
+ return -EINVAL;
+ }
s->row_end = qemu_get_be32(f);
+ if (s->row_end < 0 || s->row_end >= 80) {
+ return -EINVAL;
+ }
s->col = qemu_get_be32(f);
+ if (s->col < 0 || s->col >= 64) {
+ return -EINVAL;
+ }
s->col_start = qemu_get_be32(f);
+ if (s->col_start < 0 || s->col_start >= 64) {
+ return -EINVAL;
+ }
s->col_end = qemu_get_be32(f);
+ if (s->col_end < 0 || s->col_end >= 64) {
+ return -EINVAL;
+ }
s->redraw = qemu_get_be32(f);
s->remap = qemu_get_be32(f);
s->mode = qemu_get_be32(f);
+ if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) {
+ return -EINVAL;
+ }
qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer));
ss->cs = qemu_get_be32(f);
--
1.9.1
- [Qemu-stable] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145), (continued)
- [Qemu-stable] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 082/156] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 105/156] dmg: use appropriate types when reading chunks, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 067/156] migration: remove duplicate code, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 012/156] mirror: fix throttling delay calculation, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 014/156] virtio-net: Do not filter VLANs without F_CTRL_VLAN, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load,
Michael Roth <=
- [Qemu-stable] [PATCH 080/156] bochs: Check extent_size header field (CVE-2014-0142), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 119/156] qcow1: Validate image size (CVE-2014-0223), Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 042/156] pl022: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 142/156] usb: Fix usb-bt-dongle initialization., Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 090/156] qcow2: Validate refcount table offset, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 141/156] vhost: fix resource leak in error handling, Michael Roth, 2014/07/09
- [Qemu-stable] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/09
- Re: [Qemu-stable] [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14, Dr. David Alan Gilbert, 2014/07/09
- [Qemu-stable] [PATCH 151/156] nbd: Shutdown socket before closing., Michael Roth, 2014/07/09