[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 044/156] vmstate: fix buffer overflow in target-arm
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c |
Date: |
Tue, 8 Jul 2014 12:17:15 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <address@hidden>
---
savevm.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/savevm.c b/savevm.c
index 40054cf..b436732 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1111,8 +1111,9 @@ const VMStateInfo vmstate_info_int32_equal = {
.put = put_int32,
};
-/* 32 bit int. Check that the received value is less than or equal to
- the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
{
@@ -1120,7 +1121,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t
size)
int32_t loaded;
qemu_get_sbe32s(f, &loaded);
- if (loaded <= *cur) {
+ if (loaded >= 0 && loaded <= *cur) {
*cur = loaded;
return 0;
}
--
1.9.1
- [Qemu-stable] [PATCH 032/156] vmstate: reduce code duplication, (continued)
- [Qemu-stable] [PATCH 032/156] vmstate: reduce code duplication, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 037/156] virtio-net: out-of-bounds buffer write on load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 038/156] virtio: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 034/156] vmstate: add VMSTATE_VALIDATE, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 040/156] hpet: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 036/156] virtio-net: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 045/156] virtio: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 046/156] openpic: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c,
Michael Roth <=
- [Qemu-stable] [PATCH 043/156] Fix vmstate_info_int32_le comparison/assign, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 056/156] savevm: Ignore minimum_version_id_old if there is no load_state_old, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 059/156] target-i386: fix set of registers zeroed on reset, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 060/156] target-arm: Make vbar_write 64bit friendly on 32bit hosts, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 064/156] spapr_pci: Fix number of returned vectors in ibm, change-msi, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 065/156] pci-assign: limit # of msix vectors, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, Michael Roth, 2014/07/08