[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on in
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration |
Date: |
Mon, 31 Mar 2014 17:16:49 +0300 |
CVE-2013-4532
s->next_packet is read from wire as an index into s->rx[]. If
s->next_packet exceeds the length of s->rx[], the buffer can be
subsequently overrun with arbitrary data from the wire.
Fix this by failing migration if s->next_packet we read from
the wire exceeds this.
Similarly, validate rx_fifo against sizeof(s->rx[].data).
Finally, constrain rx len to a sensibly small positive
value, to avoid integer overruns when data model
later uses this value.
Reported-by: Michael Roth <address@hidden>
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/net/stellaris_enet.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index d04e6a4..182fd3e 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -358,7 +358,7 @@ static void stellaris_enet_save(QEMUFile *f, void *opaque)
static int stellaris_enet_load(QEMUFile *f, void *opaque, int version_id)
{
stellaris_enet_state *s = (stellaris_enet_state *)opaque;
- int i;
+ int i, v;
if (version_id != 1)
return -EINVAL;
@@ -381,9 +381,25 @@ static int stellaris_enet_load(QEMUFile *f, void *opaque,
int version_id)
qemu_get_buffer(f, s->rx[i].data, sizeof(s->rx[i].data));
}
- s->next_packet = qemu_get_be32(f);
- s->rx_fifo = s->rx[s->next_packet].data + qemu_get_be32(f);
- s->rx_fifo_len = qemu_get_be32(f);
+ v = qemu_get_be32(f);
+ if (v < 0 || v >= ARRAY_SIZE(s->rx)) {
+ return -EINVAL;
+ }
+ s->next_packet = v;
+ v = qemu_get_be32(f);
+ if (v < 0 || v >= sizeof(s->rx[i].data)) {
+ return -EINVAL;
+ }
+ s->rx_fifo = s->rx[s->next_packet].data + v;
+ v = qemu_get_be32(f);
+ /* Set limit low enough to avoid integer overflow when
+ * we do math on len later, but high enough to avoid
+ * truncating any packets.
+ */
+ if (v < 0 || v >= 0x100000) {
+ return -EINVAL;
+ }
+ s->rx_fifo_len = v;
return 0;
}
--
MST
- Re: [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load, (continued)
- [Qemu-devel] [PATCH v4 05/30] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 07/30] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration,
Michael S. Tsirkin <=
- [Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2), Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3), Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 18/30] virtio: validate num_sg when mapping, Michael S. Tsirkin, 2014/03/31