Re: [Qemu-stable] [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer over

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-stable] [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer over

From:	Peter Maydell
Subject:	Re: [Qemu-stable] [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c
Date:	Mon, 31 Mar 2014 16:40:41 +0100

On 31 March 2014 15:16, Michael S. Tsirkin <address@hidden> wrote:
> CVE-2013-4531
>
> cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
> cpreg_vmstate_array_len will cause a buffer overflow.
>
> VMSTATE_INT32_LE was supposed to protect against this
> but doesn't because it doesn't validate that input is
> non-negative.
>
> Fix this macro to valide the value appropriately.
>
> The only other user of VMSTATE_INT32_LE doesn't
> ever use negative numbers so it doesn't care.

This fixes the bug, but it's rather unintuitive semantics
for an INT32_LE not to simply do a signed comparison...
Maybe rename the macro?

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH v4 03/30] vmstate: add VMSTATE_VALIDATE, (continued)
- [Qemu-stable] [PATCH v4 03/30] vmstate: add VMSTATE_VALIDATE, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2014/03/31
  - Re: [Qemu-stable] [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load, Laszlo Ersek, 2014/03/31
    - Re: [Qemu-stable] [Qemu-devel] [PATCH v4 04/30] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 05/30] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 06/30] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 07/30] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/03/31
  - Re: [Qemu-stable] [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Peter Maydell <=
- [Qemu-stable] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
  - Re: [Qemu-stable] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Dr. David Alan Gilbert, 2014/03/31
    - Re: [Qemu-stable] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
    - Re: [Qemu-stable] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Peter Maydell, 2014/03/31
- [Qemu-stable] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2), Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3), Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
  - Re: [Qemu-stable] [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration, Peter Maydell, 2014/03/31
- [Qemu-stable] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
  - Re: [Qemu-stable] [Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration, Peter Maydell, 2014/03/31

Prev by Date: Re: [Qemu-stable] [PATCH v4 22/30] tsc210x: fix buffer overrun on invalid state load
Next by Date: Re: [Qemu-stable] [Qemu-devel] [PATCH v4 20/30] ssi-sd: fix buffer overrun on invalid state load
Previous by thread: [Qemu-stable] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c
Next by thread: [Qemu-stable] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration
Index(es):
- Date
- Thread